Guides

Webhooks

Webhooks allow your application to receive real-time notifications about events in your Payonify account, enabling you to automate workflows and keep your systems in sync with the payment lifecycle.

How Webhooks Work

sequenceDiagram participant Customer participant Your App participant Payonify participant Your Server Customer->>Your App: Initiates payment Your App->>Payonify: Create charge/checkout Payonify-->>Your App: Returns response Note over Payonify: Payment processed Payonify->>Your Server: POST webhook event Your Server->>Your Server: Verify signature Your Server-->>Payonify: 200 OK Your Server->>Your App: Update order status

Setting Up Webhooks

Navigate to the Webhooks section in your Payonify dashboard
Enter your webhook endpoint URL (must be HTTPS in production)
Copy your webhook secret (whsec_xxxx) for signature verification
Save your configuration

Keep Your Secret Safe

Never expose your webhook secret in client-side code or public repositories. If compromised, rotate it immediately from your dashboard.

Webhook Events

Payonify sends notifications for key payment lifecycle events:

Event	Description
`charge.succeeded`	Charge completed successfully
`charge.failed`	Charge failed
`checkout.succeeded`	Checkout session completed successfully
`checkout.failed`	Checkout session failed
`refund.succeeded`	Refund completed successfully
`refund.failed`	Refund failed
`payout.succeeded`	Payout completed successfully
`payout.failed`	Payout failed

Event Payload Structure


Code
 
{
  "id": "evt_wcmozs2wurgkcfe5jq4q",
  "type": "charge.succeeded",
  "object": "event",
  "created": 1763891091,
  "livemode": "false",
  "data": {
    "object": {
      "id": "ch_pujhja2l7plqtngoad76jdcs",
      "object": "charge",
      "status": "succeeded",
      "description": "Small Granite Chips",
      "amount": {
        "value": 6605,
        "currency": "usd"
      },
      "created": 1763891078,
      "paid": true,
      "livemode": "false",
      "payment_method": "mobile_money",
      "receipt_email": "Mathias_Hane@yahoo.com",
      "return_url": "http://example.com/success",
      "statement_descriptor": "ACME Store",
      "client_secret": "ch_xxx_secret_xxxxx",
      "cancelled_at": null,
      "cancellation_reason": null,
      "refund_reference": null,
      "failure_code": null,
      "failure_reason": null,
      "metadata": {
        "order_id": "7",
        "order_description": "Ergonomic Granite Shoes"
      },
      "shipping": {
        "name": "Caroline",
        "phone": "1-732-402-2396",
        "carrier": "Fedex",
        "tracking_number": "6n0hk430kpyuvl5dhb7f",
        "address": {
          "line1": "658 Goldner Spur",
          "line2": "Apt. 820",
          "city": "Aleenmouth",
          "province": "Texas",
          "country": "ZW"
        }
      },
      "payment_method_details": {
        "type": "mobile_money",
        "mobile_money": {
          "type": "c2b",
          "brand": "ecocash",
          "network": "Econet",
          "reference": "MP251123.0944.D60273",
          "customer_number": "771111111",
          "merchant_name": "Payonify Test Merchant",
          "merchant_code": "028538",
          "merchant_number": "789643586"
        }
      }
    }
  }
}

Payout Event Payload Example


Code
 
{
  "id": "evt_po_wcmozs2wurgkcfe5jq4q",
  "type": "payout.succeeded",
  "object": "event",
  "created": 1763891091,
  "livemode": "false",
  "data": {
    "object": {
      "id": "po_a7eryb3kdb6ljkzqe5vg3jbf",
      "object": "payout",
      "status": "paid",
      "description": "Monthly salary payment",
      "amount": {
        "value": 5000,
        "currency": "usd"
      },
      "created": 1763891078,
      "livemode": "false",
      "metadata": {
        "employee_id": "12345",
        "payment_type": "salary"
      },
      "destination_details": {
        "type": "mobile_money",
        "mobile_money": {
          "brand": "ecocash",
          "reference": "CI270218.0450.T0691170",
          "recipient_number": "771111111",
          "recipient_name": "John Doe",
          "channel_number": "789643586",
          "network": "Econet"
        }
      },
      "failure_code": null,
      "failure_message": null
    }
  }
}

Verifying Webhook Signatures

Every webhook includes a Payonify-Signature header that you must verify before processing the event.

Signature Header Format

Code
 
Payonify-Signature: t=1621267018,v1=5c52d36d49d6a2a243ca3dfe17fd9d4df3e04532d528528d46e13d0f2d2example

t= — Unix timestamp when the webhook was sent
v1= — HMAC-SHA256 signature

Verification Steps

Extract the timestamp (t) and signature (v1) from the header
Concatenate: {timestamp}.{raw_request_body}
Compute HMAC-SHA256 using your webhook secret
Compare your computed signature with the received signature
Verify the timestamp is within tolerance (recommended: 5 minutes)

Implementation Examples

Code

const crypto = require('crypto');

const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET; // whsec_xxxx
const TOLERANCE_SECONDS = 300; // 5 minutes

function verifyWebhook(payload, signatureHeader) {
const parts = signatureHeader.split(',').reduce((acc, part) => {
  const [key, value] = part.split('=');
  acc[key] = value;
  return acc;
}, {});

const timestamp = parseInt(parts['t'], 10);
const receivedSignature = parts['v1'];

// Check timestamp tolerance
const now = Math.floor(Date.now() / 1000);
if (now - timestamp > TOLERANCE_SECONDS) {
  throw new Error('Webhook timestamp too old');
}

// Compute expected signature
const signedPayload = `${timestamp}.${payload}`;
const expectedSignature = crypto
  .createHmac('sha256', WEBHOOK_SECRET)
  .update(signedPayload)
  .digest('hex');

// Compare signatures (timing-safe)
if (!crypto.timingSafeEqual(
  Buffer.from(expectedSignature),
  Buffer.from(receivedSignature)
)) {
  throw new Error('Invalid webhook signature');
}

return JSON.parse(payload);
}

// Express.js example
app.post('/webhooks/payonify', express.raw({ type: 'application/json' }), (req, res) => {
try {
  const event = verifyWebhook(
    req.body.toString(),
    req.headers['payonify-signature']
  );

  switch (event.type) {
    case 'charge.succeeded':
      // Payment successful - fulfill order
      break;
    case 'charge.failed':
      // Payment failed - notify customer
      break;
  }

  res.status(200).send('OK');
} catch (err) {
  res.status(400).send('Webhook verification failed');
}
});

Elixir: Preserve Raw Body

For Phoenix apps, you'll need a custom body reader plug to preserve the raw request body for signature verification.

Handling Events

Respond Quickly

Your webhook endpoint should return a 200 status code as quickly as possible. Move any heavy processing to a background job queue.

Retry Policy

If your endpoint doesn't respond with a 2xx status code, Payonify will retry delivery with exponential backoff:

Attempt	Backoff
1st retry (attempt 2)	~4 seconds
2nd retry (attempt 3)	~8 seconds
3rd retry (attempt 4)	~16 seconds
4th retry (attempt 5)	~32 seconds
5th retry (attempt 6)	~1 minute
6th retry (attempt 7)	~2 minutes
7th retry (attempt 8)	~4 minutes
8th retry (attempt 9)	~8 minutes
9th retry (attempt 10)	~17 minutes

After 10 failed attempts, the webhook is marked as failed.

Idempotency

Handle Duplicates

Webhooks may be delivered more than once. Use the event id to ensure you don't process the same event twice.


Code
 
// Example: Track processed events
const processedEvents = new Set();

async function handleWebhook(event) {
  if (processedEvents.has(event.id)) {
    return; // Already processed
  }

  // Process the event...

  processedEvents.add(event.id);
}

For production, store processed event IDs in your database with an appropriate TTL.

Security Best Practices

Always verify signatures — Never skip verification in production
Use HTTPS — Only expose webhook endpoints over HTTPS
Validate timestamps — Reject webhooks older than 5 minutes
Implement idempotency — Handle duplicate deliveries gracefully
Rotate secrets periodically — Update your webhook secret regularly
Log events — Keep audit logs for debugging and compliance

Troubleshooting

Issue	Solution
Not receiving webhooks	Verify your endpoint is publicly accessible and returns `200`
Signature verification fails	Check you're using the correct webhook secret and raw request body
Events arriving late	Check your server clock is synchronized (NTP)
Duplicate events	Implement idempotency using event IDs

Test Locally

Use tools like ngrok to expose your local development server for webhook testing.

Last modified on March 7, 2026

Payouts