SX Digital Pay
    SX Digital Pay
    • Getting started
    • Authentication
    • Webhook Validation
    • Recommended workflows
    • Merchant
      • Get merchant profile
        GET
    • PaymentLinks
      • Create single-use payment link
        POST
      • List single-use payment links
        GET
      • Get link details
        GET
    • Webhooks
      • Link created
      • Link status changed
      • Link paymentStatus changed

    Webhook Validation

    Webhook Signature Verification (Optional but recommended for security purposes, ensuring that the webhook is actually being received from SX.)#

    When you set webhookUrl while creating a payment link, SX Digital Pay signs every webhook request (payment_link.created, payment_link.status_changed, payment_link.payment_status_changed).
    Headers:
    x-sxpay-signature: HMAC-SHA256 hex digest of "{timestamp}.{rawBody}" using the link's webhookSecret.
    x-sxpay-timestamp: Epoch milliseconds (use to prevent replay).
    Verification steps:
    1.
    Read the raw request body (exact bytes, before JSON parse).
    2.
    Compute expected = HMAC_SHA256(webhookSecret, timestamp + "." + rawBody).
    3.
    Compare expected with x-sxpay-signature using constant-time comparison.
    4.
    Optionally reject if the timestamp is too old (e.g., > 5 minutes) to mitigate replay attacks.

    Alternative or Complementary Validation (Source of Truth)#

    In addition to (or instead of) signature verification, you can use the Get link details endpoint as the source of truth before running internal processes. This is especially useful when you want to confirm the current payment link state or avoid acting on out-of-order or duplicated webhook deliveries.
    Recommended flow:
    1.
    Receive the webhook call and parse the payload to extract the payment link identifier.
    2.
    Call Get link details using your API credentials.
    3.
    Use the API response as the authoritative state for the link/payment.
    4.
    Run internal processes (e.g., crediting balance, updating orders) based on the API response.
    Notes:
    This approach can be combined with signature verification for stronger security.
    If the webhook payload conflicts with the API response, prefer the API response.
    Keep the Get link details request lightweight and idempotent to handle webhook retries safely.

    Node.js Example#

    Handling Failures#

    If verification fails, return a non-2xx status; SX Digital Pay will treat the delivery as failed.
    Make sure your endpoint responds quickly (ideally < 5s) and is highly available; retries from SX Digital Pay will occur when the response is non-2xx.

    Best Practices#

    Store webhookSecret securely; it is only returned at link creation time.
    Use HTTPS for webhookUrl.
    Log request IDs and timestamps to help debug delivery issues.
    Rotate API keys and webhook endpoints/secrets when decommissioning environments.
    Previous
    Authentication
    Next
    Recommended workflows
    Built with