Webhooks allows you to receive notifications in your own backend whenever your company account or your payment objects changes state (you can find a visual of payment states in the Payments page ). This guide describes how to setup a webhook and verify the integrity of the notification.
Webhook Setup and Verification Guide
The notification payload:
All notifications contains a message type which is either company
or payment
, and the id and current state of the payment/company. A payment notification also contains type of payment, and optionally a parent id, if the payment is linked to another payment.
{
"message_type": "Payment",
"id": 123,
"state": "PROCESSED",
"type": "WITHDRAWAL",
"parent": 1121
}
{
"message_type": "Company",
"id": 123,
"state": "ACTIVE",
}
The fields expained:
- id: The unique identifier of the object.
- messageType:
Payment
,Company
. - state: The current state of the object. Possible states include:
- For payments (see also the Payments page):
PENDING
REJECTED_COMPLIANCE
REJECTED_APPROVAL
REJECTED_SIGNING
INITIATED_PAYMENT
PROCESSING_PAYMENT
PROCESSED
FAILED
REVERSED
- For companies:
ACTIVE
FROZEN
UNDER_INVESTIGATION
DEACTIVATED
PENDING_KYC
PENDING_BLOCKCHAIN_ACTIVATION
FAILED_KYC
PENDING_CUSTOMER_CONSENT
PENDING_KYC_APPROVAL
PENDING_PASSWORD_CREATION
- For payments (see also the Payments page):
The following are relevant for payment objects only:
- type: The PaymentType of the payment Object. Possible states include:
TRANSFER
PAYOUT
PAY_IN
WITHDRAWAL
- parent: Id of the parent PaymentObject if it exists.
null
- if no parent object exists123
- integer id of the parent object
Setting Up a Webhook
To set up a webhook, follow these steps:
- Create an HTTP POST endpoint that accepts the JSON notification payload shown above. The endpoint must return a successful status code (200) as quickly as possible, before performing any complex logic that could cause a timeout.
- Register the endpoint with ComplyPay using the Create Payment Webhook endpoint.
Webhook Signatures
ComplyPay signs every webhook notification it sends to your endpoint by including an X-Payload-Signature
header with the payload's signature. It is recommended to use these signatures to verify that the webhook request is legitimate and was generated by ComplyPay.
Steps to Verify a Webhook Request
- Retrieve the
X-Payload-Signature
header from the request. - Retrieve the webhook HTTP body as bytes.
- Generate a signature by signing the body from step 2 with the secret key generated when creating the webhook. Use the
HmacSHA512
algorithm for signing. - Verify that the
X-Payload-Signature
header matches the signature generated in step 3.
Below is an example implementation in Java:
@ResponseBody
@PostMapping(produces = MediaType.APPLICATION_JSON_VALUE, value = "https://yourcompany.com/payment-webhook-consume", consumes = MediaType.APPLICATION_JSON_VALUE)
public void consumeData(@Valid @RequestBody byte[] body, @RequestHeader(name = "X-Payload-Signature") String signature) throws NoSuchAlgorithmException, InvalidKeyException {
String ALGORITHM = "HmacSHA512";
String SECRET = "<YOUR_WEBHOOK_SECRET_KEY>";
SecretKey key = new SecretKeySpec(SECRET.getBytes(StandardCharsets.UTF_8), ALGORITHM);
Mac mac = Mac.getInstance(ALGORITHM);
mac.init(key);
byte[] calculatedSignature = mac.doFinal(body);
String calculatedSignatureString = Base64.getEncoder().encodeToString(calculatedSignature);
boolean isValid = calculatedSignatureString.equals(signature);
if (isValid) {
// Process the webhook payload
} else {
// Handle the invalid signature
}
}
By following these instructions, you can ensure that your application receives and verifies webhook notifications securely and efficiently.