Webhook
Webhooks in KidaPay allow your application to automatically receive real-time notifications whenever important events happen in the payment lifecycle.
Instead of constantly polling the API to check if an order has been paid, KidaPay will send a POST request to your server with the event details as soon as the status changes.
📌 How Webhooks Work​
- You configure a
webhook_urlin your Merchant Portal or when creating an order. - Whenever an event occurs (e.g.
payment.success,payment.failed,payment.cancelled), KidaPay sends an HTTP POST request to your webhook endpoint. - Your server validates the request using the API Key you set in the portal.
- Your system processes the event (e.g. marking an order as paid, notifying the customer).
🔑 Why Use Webhooks?​
- Real-time updates → Instantly know when a payment succeeds, fails, or is cancelled.
- Automation → Update your order database automatically without manual checks.
- Reliability → Even if the customer closes the payment page, you still get the final result via webhook.
Kidapay Webhook Signature Verification​
This explains how to verify webhook signatures sent by Kidapay to ensure the authenticity and integrity of webhook payloads.
Overview​
Kidapay signs all webhook payloads using HMAC-SHA256 with your API key. Each webhook request includes signature headers that you should verify before processing the payload.
Signature Headers​
Each webhook request includes the following headers:
x-kidapay-signature: The HMAC-SHA256 signature in the formatsha256={signature}x-kidapay-timestamp: Unix timestamp (in seconds) when the webhook was sentContent-Type:application/json
Webhook Payload Structure​
The webhook payload contains the following fields:
{
"order_id": "string",
"merchant_order_id": "string",
"status": "string",
"payment_status": "string",
"amount": "number",
"currency": "string",
"pay_currency": "string",
"pay_amount": "number",
"pay_network": "string",
"title": "string",
"description": "string",
"callback_url": "string",
"webhook_url": "string"
}
Signature Verification Process​
Step 1: Extract Headers and Payload​
Extract the signature, timestamp, and raw JSON payload from the webhook request.
Step 2: Create Signature String​
Concatenate the timestamp and payload with a period (.) separator:
signatureString = timestamp + "." + rawJsonPayload
Step 3: Generate Expected Signature​
Using your API key, generate an HMAC-SHA256 signature:
expectedSignature = HMAC-SHA256(apiKey, signatureString)
Step 4: Compare Signatures​
Compare the expected signature with the signature from the x-kidapay-signature header (without the sha256= prefix).
Implementation Examples​
- Node.js (Express)
- Python (Flask)
- PHP
- Java (Spring Boot)
const crypto = require('crypto');
const express = require('express');
function verifyKidapaySignature(req, res, next) {
const signature = req.headers['x-kidapay-signature'];
const timestamp = req.headers['x-kidapay-timestamp'];
const rawBody = JSON.stringify(req.body);
const apiKey = process.env.KIDAPAY_API_KEY; // Your API key
if (!signature || !timestamp) {
return res.status(400).json({ error: 'Missing signature headers' });
}
// Extract signature (remove 'sha256=' prefix)
const receivedSignature = signature.replace('sha256=', '');
// Create signature string
const signatureString = `${timestamp}.${rawBody}`;
// Generate expected signature
const expectedSignature = crypto
.createHmac('sha256', apiKey)
.update(signatureString, 'utf8')
.digest('hex');
// Compare signatures
if (receivedSignature !== expectedSignature) {
return res.status(401).json({ error: 'Invalid signature' });
}
next();
}
// Use middleware
app.post('/webhook', express.raw({ type: 'application/json' }), verifyKidapaySignature, (req, res) => {
// Process verified webhook
const payload = JSON.parse(req.body);
console.log('Verified webhook:', payload);
res.status(200).send('OK');
});
import hmac
import hashlib
import json
from flask import Flask, request, jsonify
app = Flask(__name__)
def verify_kidapay_signature():
signature = request.headers.get('x-kidapay-signature')
timestamp = request.headers.get('x-kidapay-timestamp')
raw_body = request.get_data(as_text=True)
api_key = 'your_api_key_here' # Your API key
if not signature or not timestamp:
return False
# Extract signature (remove 'sha256=' prefix)
received_signature = signature.replace('sha256=', '')
# Create signature string
signature_string = f"{timestamp}.{raw_body}"
# Generate expected signature
expected_signature = hmac.new(
api_key.encode('utf-8'),
signature_string.encode('utf-8'),
hashlib.sha256
).hexdigest()
# Compare signatures
return hmac.compare_digest(received_signature, expected_signature)
@app.route('/webhook', methods=['POST'])
def handle_webhook():
if not verify_kidapay_signature():
return jsonify({'error': 'Invalid signature'}), 401
# Process verified webhook
payload = request.get_json()
print(f"Verified webhook: {payload}")
return 'OK', 200
<?php
function verifyKidapaySignature($rawBody, $signature, $timestamp, $apiKey) {
if (!$signature || !$timestamp) {
return false;
}
// Extract signature (remove 'sha256=' prefix)
$receivedSignature = str_replace('sha256=', '', $signature);
// Create signature string
$signatureString = $timestamp . '.' . $rawBody;
// Generate expected signature
$expectedSignature = hash_hmac('sha256', $signatureString, $apiKey);
// Compare signatures
return hash_equals($receivedSignature, $expectedSignature);
}
// Webhook endpoint
$rawBody = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_KIDAPAY_SIGNATURE'] ?? '';
$timestamp = $_SERVER['HTTP_X_KIDAPAY_TIMESTAMP'] ?? '';
$apiKey = 'your_api_key_here'; // Your API key
if (!verifyKidapaySignature($rawBody, $signature, $timestamp, $apiKey)) {
http_response_code(401);
echo json_encode(['error' => 'Invalid signature']);
exit;
}
// Process verified webhook
$payload = json_decode($rawBody, true);
echo 'OK';
?>
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.nio.charset.StandardCharsets;
@RestController
public class WebhookController {
private static final String API_KEY = "your_api_key_here"; // Your API key
@PostMapping("/webhook")
public ResponseEntity<String> handleWebhook(
@RequestBody String rawBody,
@RequestHeader("x-kidapay-signature") String signature,
@RequestHeader("x-kidapay-timestamp") String timestamp) {
if (!verifySignature(rawBody, signature, timestamp)) {
return ResponseEntity.status(401).body("Invalid signature");
}
// Process verified webhook
ObjectMapper mapper = new ObjectMapper();
try {
JsonNode payload = mapper.readTree(rawBody);
System.out.println("Verified webhook: " + payload);
} catch (Exception e) {
return ResponseEntity.status(400).body("Invalid JSON");
}
return ResponseEntity.ok("OK");
}
private boolean verifySignature(String rawBody, String signature, String timestamp) {
if (signature == null || timestamp == null) {
return false;
}
try {
// Extract signature (remove 'sha256=' prefix)
String receivedSignature = signature.replace("sha256=", "");
// Create signature string
String signatureString = timestamp + "." + rawBody;
// Generate expected signature
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec(API_KEY.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
mac.init(secretKey);
byte[] hash = mac.doFinal(signatureString.getBytes(StandardCharsets.UTF_8));
StringBuilder expectedSignature = new StringBuilder();
for (byte b : hash) {
expectedSignature.append(String.format("%02x", b));
}
// Compare signatures
return receivedSignature.equals(expectedSignature.toString());
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
return false;
}
}
}
Security Best Practices​
1. Always Verify Signatures Never process webhook payloads without verifying the signature first.
2. Use Constant-Time Comparison
Use cryptographically secure comparison functions (like crypto.timingSafeEqual in Node.js or hash_equals in PHP) to prevent timing attacks.
3. Validate Timestamp Consider implementing timestamp validation to prevent replay attacks:
const TOLERANCE = 300; // 5 minutes tolerance
function isTimestampValid(timestamp) {
const webhookTime = parseInt(timestamp);
const currentTime = Math.floor(Date.now() / 1000);
return Math.abs(currentTime - webhookTime) <= TOLERANCE;
}
4. Keep API Keys Secure
- Store API keys in environment variables
- Never commit API keys to version control
- Rotate API keys regularly
- Use different API keys for different environments
5. Handle Raw Request Body Ensure you're using the raw request body exactly as received (before any parsing or modification) for signature verification.
6. Implement Idempotency
Use the order_id or merchant_order_id to implement idempotent webhook processing and avoid duplicate processing.
Troubleshooting​
Common Issues​
-
Signature Mismatch
- Ensure you're using the raw request body
- Verify the API key is correct
- Check that you're including the
sha256=prefix removal - Ensure proper string encoding (UTF-8)
-
Missing Headers
- Verify your webhook endpoint is receiving the signature headers
- Check for case sensitivity in header names
-
Timestamp Issues
- Ensure timestamp is treated as a string, not parsed as integer
- Check for proper concatenation format:
timestamp.payload
Testing​
You can test your webhook signature verification using tools like ngrok and manually crafting test webhooks with known signatures.
Support​
If you encounter issues with webhook signature verification, please contact Kidapay support with:
- Your API key ID (not the actual key)
- Example webhook payload
- Your signature verification code
- Error messages or unexpected behavior details