Webhooks Overview
Webhooks allow you to receive real-time notifications about transaction events. Instead of polling for status updates, ZoPay will automatically send HTTP POST requests to your registered endpoint when events occur.
How Webhooks Work
- Register a webhook endpoint in your dashboard (or via API) with your server URL
- ZoPay generates a unique webhook secret (shown only once - save it securely!)
- ZoPay sends HTTP POST requests to your endpoint when events occur
- Your server verifies the webhook signature using the provided secret
- Your server checks the delivery ID for idempotency (prevent duplicates)
- Your server processes the event and updates your system
- Your server returns a 200 OK response within 30 seconds
Important: Your webhook secret is shown only once when you register the endpoint. Make sure to save it securely in your environment variables or secret management system. You'll need it to verify webhook signatures.
Supported Events
Important: You must subscribe to all 6 required events when registering a webhook endpoint. This ensures you receive all transaction notifications.
| Event | Description | When It Fires |
|---|---|---|
payment.succeeded | Payment completed successfully | When a collection transaction succeeds |
payment.failed | Payment failed | When a collection transaction fails |
payout.completed | Payout sent successfully | When a disbursement/payout succeeds |
payout.failed | Payout failed | When a disbursement/payout fails |
refund.completed | Refund processed | When a refund is successfully processed |
settlement.generated | Settlement created | When a new settlement is generated |
Required Events: All 6 events listed above must be included when registering a webhook endpoint. You cannot subscribe to a subset of events.
Key Features
- ✅ Real-time notifications for all transaction events
- ✅ HMAC signature verification for security
- ✅ Automatic retries with exponential backoff (6 attempts)
- ✅ Dead letter queue for failed deliveries
- ✅ Manual replay of failed webhooks
- ✅ Delivery logs and monitoring
Webhook Security
All webhooks include an HMAC-SHA256 signature in the X-Zo-Signature header. Always verify this signature before processing webhook payloads to ensure requests are from ZoPay.
Critical Security Requirements
- Always verify signatures: Never process webhooks without signature verification
- Use raw body: Capture the raw request body (before JSON parsing) for signature verification
- Check timestamp: Reject requests older than 5 minutes (replay attack prevention)
- Signature format: The signature header contains only the hex string (no
sha256=prefix) - Timestamp format: Timestamp is in milliseconds, not seconds
For detailed signature verification instructions, see the Webhook Security page.
Retry Logic
If your server doesn't respond with HTTP 200-299, ZoPay will automatically retry the webhook delivery (up to 6 attempts):
| Attempt | Delay | Total Time |
|---|---|---|
| 1 | Immediate | 0s |
| 2 | 1 minute | 1m |
| 3 | 5 minutes | 6m |
| 4 | 15 minutes | 21m |
| 5 | 1 hour | 1h 21m |
| 6 | 6 hours | 7h 21m |
After 6 failed attempts, the webhook is moved to the Dead Letter Queue (DLQ) where you can manually replay it after fixing the issue.
Response Codes: Return 200 OK even if processing fails (if you don't want retries), or return 500/502/503 if you want ZoPay to retry the webhook.
Best Practices
- Always verify signatures: Never process webhooks without signature verification - this is critical for security
- Use raw body for signature: Capture the raw request body before JSON parsing for signature verification
- Respond quickly: Return HTTP 200 within 30 seconds. Process webhooks asynchronously using a queue if needed.
- Implement idempotency: Use
X-Zo-Delivery-Idheader to prevent duplicate processing - Handle duplicates: Webhooks may be delivered more than once. Always check delivery ID before processing.
- Check timestamps: Verify timestamp is within 5 minutes to prevent replay attacks
- Use HTTPS: Webhook URLs must use HTTPS in production (HTTP is only allowed for local testing)
- Store secrets securely: Never commit webhook secrets to code - use environment variables or secret management
- Log everything: Log all webhook deliveries for debugging and auditing
- Monitor deliveries: Regularly check webhook delivery status in the dashboard and set up alerts for failed webhooks
- Handle errors gracefully: Don't let processing errors crash your server
- Subscribe to all events: All 6 events are required when registering a webhook endpoint
Monitoring and Logging
It's important to monitor your webhook activity to ensure everything is working correctly:
What to Monitor
- Webhook Receipts: Track all incoming webhooks
- Success Rate: Monitor successful vs failed webhook processing
- Signature Verification: Track invalid signature attempts (security concern)
- Duplicate Deliveries: Monitor how often duplicate webhooks are received
- Response Times: Ensure responses are within 30 seconds
- Error Rates: Alert on high error rates
Webhook Status Indicators
Your webhook handler should track these statuses:
- SUCCESSWebhook processed successfully
- ERRORError during processing - check logs
- INVALID_SIGNATURESignature verification failed - security issue
- DUPLICATEAlready processed (idempotency working correctly)
Logging Best Practices
- Log all receipts: Include delivery ID, event type, timestamp, status
- Store payloads: Keep payload data for troubleshooting (sanitize sensitive data)
- Track errors: Log full error context for debugging
- Set up alerts: Alert on security issues or high error rates
- Use persistent storage: Store logs in database or logging service (not just in-memory)
Production Checklist
Before going to production, ensure:
- ✅ Webhook endpoint uses HTTPS only
- ✅ Signature verification is implemented and tested
- ✅ Timestamp validation is in place (prevent replay attacks)
- ✅ Idempotency is implemented (prevent duplicate processing)
- ✅ Webhook secret is stored securely (not in code)
- ✅ Error handling is implemented
- ✅ Logging is in place for debugging
- ✅ Endpoint responds within 30 seconds
- ✅ Endpoint is publicly accessible
- ✅ All 6 event types are handled
- ✅ Monitoring and alerts are set up
- ✅ Database integration for persistent storage (if needed)
Next Steps
- Learn how to Register a Webhook Endpoint
- See all available Webhook Events
- Understand Webhook Security and Signature Verification
- View Your Webhook Endpoints in the dashboard