Webhooks

For many use cases Super Payments will send you a webhook when an event occurs. For example, when a payment is successful.
You can check whether the webhooks are configured correctly from the Webhook Insights section in your business portal.

For more information on Webhook Insights see the launch post.

Webhook Signature Verification

We will pass through a super-signature header in any webhook request so you can verify the request originated from
Super Payments. You must use the Confirmation ID to verify the signature.

Your Confirmation ID starts with PWH_ and can be found on your business portal under your Payment Methods.

The signature is generated using a combination of the event payload, a timestamp and your unique Confirmation ID
found in your Merchant Portal integration. The signature, contained in the super-signature header consists of two
parts. A timestamp prefixed by t= and the signature prefixed by v1= e.g.

super-signature: t:1669219987926,v1:bc2719322a26335c486df9dffeb0c555c758b2a7470de6f62421cfb8437e8b5b

Verifying a Signature

1. Separate the timestamp and signature components by splitting the header on the , character.

2. Separate the timestamp and header components into their key value pairs by splitting on the : character.

3. Create a message string by concatenating the timestamp, retrieved in step 2, and the request body.

4. Generate an HMAC signature using SHA256 as the hash function, your webhook secret as the key and the message string
   constructed in step 3 as the message.