This page describes the webhook feature and how to set it up.

Before anything else, you need to have a URL endpoint set up to receive POST requests. This will be a server location that you control and can use to process webhook messages as they are delivered.

Each endpoint can be subscribed to specific events that happen in the gateway. Most events have multiple versions: success, failure, and unknown.

Available Event Types

Event CategoryDescription
TransactionsSales, auths, captures, voids, refunds, and credits. Each transaction type can be filtered by successful, failed, and unknown transactions.
Check StatusNEW! Available for settled, returned, or late return check statuses.
RecurringAvailable for new, updated, and/or canceled subscriptions and plans.
SettlementBatch summaries and can be filtered by successful and failed settlements.
ChargebacksIf your processor supports chargeback reporting, chargebacks can be delivered as events.
Automatic Card UpdaterAvailable for card records updated, marked as closed, or for customer contact in the Customer Vault and/or recurring subscription records.

Basic Structure

event_idA unique identifier for this event.
event_typeThe type of event that occurred.
event_bodyThe body of the event (depends on event type)

Where To Setup

From the Settings > Webhooks page, click the “Add Endpoint” button.

How to Setup

Enter your webhook receiver URL and select all event types you would like to be notified of from the list. As soon as the URL is saved, you will start to receive events at the URL specified; there is no further setup required. Please note that all URLs must start with “https” and have valid TLS encryption enabled.

How to Validate

The Webhooks settings page shows your webhooks signing key. This value should be used on your website to authenticate that it is the gateway delivering these messages and not a third party.

Here is an example implementation in PHP:

  function webhookIsVerified($webhookBody, $signingKey, $nonce, $sig) {
    return $sig === hash_hmac("sha256", $nonce . "." . $webhookBody, $signingKey);

  try {
    $signingKey = "YOUR_SIGNING_KEY_HERE";
    $webhookBody = file_get_contents("php://input");
    $headers = getallheaders();
    $sigHeader = $headers['Webhook-Signature'];

    if (!is_null($sigHeader) && strlen($sigHeader) < 1) {
      throw new Exception("invalid webhook - signature header missing");

    if (preg_match('/t=(.*),s=(.*)/', $sigHeader, $matches)) {
      $nonce = $matches[1];
      $signature = $matches[2];
    } else {
      throw new Exception("unrecognized webhook signature format");

    if (!webhookIsVerified($webhookBody, $signingKey, $nonce, $signature)) {
      throw new Exception("invalid webhook - invalid signature, cannot verify sender");

    // webhook is now verified to have been sent by us, continue processing

    echo "webhook is verified";
    $webhook = json_decode($webhookBody);
  } catch (Exception $e) {
    echo "error: $e\n";

IP Addresses

Webhooks will only be delivered from the following IP addresses. It is advisable to limit your webhook endpoints to only receive requests originating from these addresses: through through