Skip to main content
XPayLabs sends HTTP POST callbacks to your configured endpoint URL whenever an order or collection changes state. Instead of polling the API for status changes, register your callback URL and receive signed notifications in real-time.

Configuration

Set your webhook endpoint URL and shared secret in the gateway configuration:
The webhook-secret is used to compute the sign field in each webhook payload, allowing you to verify the notification originated from your gateway.

Payload Format

Every webhook callback is a POST request with a JSON body following the NotifyPayload structure:
FieldTypeDescription
signstringHMAC-SHA256 signature for payload verification
timestampintegerUnix timestamp of when the notification was generated
noncestringUnique event identifier
notifyTypestringThe event type (see Event Types)
dataobjectThe event payload (NotifyOrder object)

Example Payload

Signature Verification

Verify the webhook signature using your webhook-secret:

Algorithm

  1. Serialize the data object (the data field from the payload) as compact JSON.
  2. Compute HMAC-SHA256(data_json, webhook_secret).
  3. Convert to lowercase hex and compare with the sign field.

Node.js

Python

Retry Policy

If your endpoint does not return a 2xx status code within 10 seconds, XPayLabs retries the webhook with exponential backoff:
AttemptDelay
1st retry~1 second
2nd retry~5 seconds
3rd retry~30 seconds
4th retry~5 minutes
After 4 failed attempts, the notification is marked as failed. Failed webhooks are logged and can be replayed from the gateway dashboard.

Best Practices

  • Respond immediately. Return 200 as fast as possible, then process the event asynchronously.
  • Verify every payload. Always check the HMAC signature before acting on a webhook.
  • Use nonce for deduplication. Store processed nonces to handle at-least-once delivery.
  • Check notifyType. Route events based on the notification type to handle each event correctly.
Last modified on June 26, 2026