Webhooks General Guide

This guide covers the main aspects for understanding, configuring, and using notifications via Webhooks.

1. Definitions

Webhook

Webhooks are user-defined HTTP callbacks which receive events for the types of events to which they are subscribed. Webhooks are asynchronous, order is not guaranteed and idempotency can lead to the same result when sent more than once. Webhooks settings include enable and disable.

Event

Events are classified into event types. Events are caused by changes in the status of a resource, such as when a payment changes from registered to completed. When an event occurs, Pagadito notifies through an HTTP POST request on the registered Webhook. The POST contains the Details of the event and the entire resource, including the type of event that gave way to such event.

Types of Events

The types of events are the different triggers that take place in a Pagadito Merchant account, such as a payment that is completed.

Home

2. Configuring Webhooks

To use Webhooks in Sandbox or production, do the following:

Go to the dashboard of your Pagadito Merchant account
Go to Webhooks in the Technical Settings section.
Enable notifications to be sent via Webhooks.
Add the WEBHOOK URL.
Save the Webhooks settings.

Once saved, a successfully configured Webhook message will appear, and you will be able to see the URL of your Webhook.

Home

3. Types of Events

Event types are the different triggers that happen in a Pagadito Merchant account, such as a completed payment.

Supported Event Types

The currently supported event types are as follows:

TRANSACTION.STATUS.CHANGE: This event is triggered when a payment is recorded, also when a payment changes status to completed, verified, rejected, and expired.

Home

4. Events

Events are notifications that are sent to the Webhook URL for specific triggers in the Pagadito Merchant account, such as a completed payment.

Event Information

When an event occurs, Pagadito sends the JSON-encoded event information using an HTTP POST to the application at the URL you specified. If the application is not available or takes too long to respond (a timeout occurs), Pagadito cancels the request and retries twenty times for a period of 3 days.

The parameter event_type in the message indicates the trigger for the event.

{
    "id": "0b918943df0962bc7a1824c0555a389347b4febdc7cf9d1254406d80ce44e3f9",
    "event_create_timestamp": "2016-02-03 14:13:39",
    "event_type": "TRANSACTION.STATUS.CHANGE",
    "resource": {
        "token": "afd7b5af626e37abf008840acfc82daa",
        "ern": "ernop1",
        "create_timestamp": "2016-02-03 14:12:35",
        "amount": {
            "total": "400.00",
            "currency": "USD"
        },
        "description": "Pago de prueba",
        "update_timestamp": "2016-02-03 14:13:35",
        "status": "COMPLETED",
        "reference": "C6CA443B",
        "items_list": [
          {
            "quantity": "1",
            "price": "300.00",
            "description": "Producto de prueba",
            "url_product": "https://mi-sitio-web.com/categoria/producto/producto-de-prueba"
          },
          {
            "quantity": "1",
            "price": "100.00",
            "description": "Producto de prueba 2",
            "url_product": "https://mi-sitio-web.com/categoria/producto/producto-de-prueba-2"
          }
        ]
    }
}

Event Security

Each of the events sent to the applications are signed.

Event Signature

Since theoretically anyone could send an HTTP POST to your application, it is important to verify that:

The Webhook event originated from Pagadito.
The Webhook event was not altered/corrupted during transmission.
The Webhook event was in fact directed to the recipient.

Therefore, Webhook events will contain a header containing a signature of the message. The recipient of the Webhook event can optionally validate that signature.

Events are signed and delivered as a message over HTTP. The following headers are used to provide information for signature validation.

PAGADITO-SIGNATURE specifies the asymmetric signature generated by Pagadito encoded in Base 64.
PAGADITO-AUTH-ALGO specifies the algorithm used to generate and verify the asymmetric signature.
PAGADITO-CERT-URL specifies the URL address to download the X509 public key certificate to be used in the verification process.

The signature is generated by concatenating five different parts with a | (vertical bar) as a separator between the parts. The details of the individual parts are as follows:

Notification ID: Unique identifier of the HTTP notification. Contained in the PAGADITO-NOTIFICATION-ID header of the Webhook event.
Timestamp Notification: Notification of the HTTP Timestamp. Contained in the PAGADITO-NOTIFICATION-TIMESTAMP header of the Webhook event.
Event ID: This is the id of the Webhook event that is delivered in the event body.
Cyclic Redundancy Check (CRC32): CRC32 checksum for the HTTP request body.
WSK: Web Service Key of the Pagadito Merchant account, this data can be found in the panel of your Pagadito Merchant account, go to Integration Parameters in the Technical Configuration section, in the Connection Credentials section.

Thus, the input string to validate the signature would have the following form: IdNotificacion|TimestampNotificacion|IdEvento|CRC32|WSK

The authentication algorithm specified in PAGADITO-AUTH-ALGO uses an asymmetric signature algorithm. This allows Pagadito to use a private key to create the signature in PAGADADITO-SIGNATURE, while allowing you to use a public key contained in the certificate whose path is defined in PAGADITO-CERT-URL to verify the Webhook event.

The following PHP code combines the headers and input string to perform the verification.

// obtener headers
$headers = getallheaders();
$notification_id = $headers['PAGADITO-NOTIFICATION-ID'];
$notification_timestamp = $headers['PAGADITO-NOTIFICATION-TIMESTAMP'];
$auth_algo = $headers['PAGADITO-AUTH-ALGO'];
$cert_url = $headers['PAGADITO-CERT-URL'];
$notification_signature = base64_decode($headers['PAGADITO-SIGNATURE']);

// obtener data
$data = file_get_contents('php://input');

// obtener id evento
$array_data = json_decode($data, TRUE);
$event_id = $array_data['id'];

// setear wsk
$wsk = 'e3de2d077dcdac201c3d2023577eec46';

// generar cadena para confirmar firma
$data_signed = $notification_id . '|' . $notification_timestamp . '|' . $event_id . '|' . crc32($data) . '|' . $wsk;
// obtener contenido del certificado

// opciones de peticiones http para generar el stream context para obtener el certificado
$http_options = array(
    'http' => array(
        'protocol_version' => '1.1',
        'method' => 'GET',
        'header' => array(
            'Connection: close'
        ),
    )
);
$cert_stream_context = stream_context_create($http_options);
$cert_content = file_get_contents($cert_url, FALSE, $cert_stream_context);

// obtener llave publica
$pubkeyid = openssl_pkey_get_public($cert_content);

// verificar firma
$resultado = openssl_verify($data_signed, $notification_signature, $pubkeyid, $auth_algo);

// liberar llave publica
openssl_free_key($pubkeyid);

// verificacion
if ($resultado == 1) {
    echo 'verificación de la firma exitosa';
} elseif ($resultado == 0) {
    echo 'verificación de la firma invalida';
} else {
    echo 'error realizando la verificación de la firma';
}

Event Response

When an application receives the event, it must respond with a level 200 HTTP status code. If it responds with any other response code, Pagadito will keep on trying to deliver the event twenty times over a 3-day period.

Home

	Guatemala
	El Salvador
	Honduras
	Nicaragua
	Costa Rica
	Panama
	Dominican Republic
	Mexico
	Belize
	Sint Maarten
	Guyana
	Suriname

Processing Transaction

Webhooks General Guide

1. Definitions

Webhook

Event

Types of Events

2. Configuring Webhooks

3. Types of Events

Supported Event Types

4. Events

Event Information

Event Security

Event Signature

Event Response