Accept Payments
Webhooks
What are Webhooks?
Webhooks are HTTP-based real-time push notifications sent by Vaultera Switch to your server. They allow immediate communication of payment status and other events, which is critical for:- Preventing lost business due to delayed payment confirmation (e.g., bookings or time-sensitive purchases).
- Avoiding reconciliation issues when payment statuses change (e.g., from βFailedβ to βSucceededβ).
- Improving user experience by triggering immediate fulfillment after payment success.
βοΈ Configuring Webhooks
1. Create an Endpoint on Your Server
Set up an HTTP or HTTPS endpoint that accepts POST requests. This endpoint will receive webhook notifications from Vaultera Switch, with JSON payloads.2. Register the Webhook URL in Vaultera Switch
Go to your Vaultera Switch Dashboard:- Navigate to Developer β Payment Settings
- Select your Business Profile
- Under the Webhook Setup section, provide the endpoint URL
3. Add Custom HTTP Headers (Optional)
If you want to verify incoming requests with additional security, you can add custom HTTP headers to your webhook. This helps ensure only trusted sources can send requests.You must provide a valid webhook URL before custom headers can be added.
4. Update Vaultera Switch Webhook Endpoints on Connectors
To allow connectors (e.g., Stripe, PayPal) to send updates to Vaultera Switch:- Add Vaultera Switchβs webhook endpoints to their dashboards instead of your own.
Endpoint format:
| Environment | Endpoint |
|---|---|
| Sandbox | https://api.staging.switch.vaultera.co/webhooks/{merchant_id}/{merchant_connector_id} |
| Production | https://api.switch.vaultera.co/webhooks/{merchant_id}/{merchant_connector_id} |
π¬ Webhook Events
You may receive webhooks for the following events:π Webhook Signature Verification
To validate that webhook requests are authentic:Signature Key
When creating a business profile, you can:- Provide your own secret via
payments_response_hash_key - Or let Vaultera Switch generate a secure 64-character key
Signature Generation (Outgoing Webhook)
- JSON encode the webhook payload
- Generate an HMAC-SHA512 digest using the
payments_response_hash_key - Vaultera Switch includes this as a header:
x-webhook-signature-512
β Validating the Webhook Signature
- Retrieve and encode the received payload
- Use HMAC-SHA512 with your secret key to compute the signature
- Compare with the
x-webhook-signature-512in the header - If they match β the webhook is authentic
π§ͺ Troubleshooting Signature Verification
-
Use the correct header:
x-webhook-signature-512(preferred) -
Use the right algorithm:
- For SHA-512:
x-webhook-signature-512 - For SHA-256:
x-webhook-signature-256(fallback)
- For SHA-512:
- Ensure the payload is unaltered before validation
π Webhook Retry Behavior
Vaultera Switch considers a delivery successful only if your server responds with an HTTP 2XX code. If not, webhook retries are attempted for up to 24 hours using exponential backoff:| Retry Attempt | Delay |
|---|---|
| 1st | 1 minute |
| 2ndβ3rd | 5 minutes |
| 4thβ8th | 10 minutes |
| 9thβ13th | 1 hour |
| 14thβ16th | 6 hours |
The delay is counted from the previous attempt, not the original delivery time.
β οΈ Handling Duplicate Webhooks
Webhook retries may result in duplicate deliveries. To ensure idempotency:- Read the
event_idfrom the webhook payload - Check if itβs already processed (store it in a DB or cache like Redis)
- If new β process it; if duplicate β skip it
- Retain
event_ids for at least 24 hours
π Handling Out-of-Order Webhooks
Due to retries and network delays, webhook events may arrive out of order. Use theupdated timestamp in the resource payload to determine if the event is more recent than what your system currently holds: