Postbacks
For postback data and examples, see the Payment API and Refund API references.
Retry Policy
If your postback endpoint does not respond or responds with any status other than 200 OK, the API will automatically retry the postback every 10 minutes, up to 10 attempts in total.
After these attempts, the system stops retrying, but the customer will still be redirected to your success_url or error_url as usual.
Verifying Postback Signatures
To ensure the authenticity and integrity of incoming postbacks, every outgoing postback and data forwarding includes a digital signature in the HTTP header:
| Header | Description |
|---|---|
Gateway-Webhook-Signature | SHA256 HMAC signature of the raw request body, base64-encoded (no newlines or whitespaces) |
The signature is calculated using your Webhook Key (found in My Company → Integration Data in the Dashboard).
Always verify the signature before processing a postback. If the signature does not match, reject the request — it may have been tampered with or sent by an unauthorized source.
How to verify:
Compare the value of the Gateway-Webhook-Signature header with the result of:
base64(hmac_sha256(raw_body, webhook_key))
Where raw_body is the full body of the postback request received by your server and webhook_key is your Webhook Key.
Given:
- Post content:
id=123&name=John%20Doe - Webhook Key:
c54b7f22bc69f87b731c
The expected signature is:
5Wc1Uxqje5HVcFA7fcxonkl2QdKBq7BQtt3i7bPpaeA=