Skip to main content

Overview

Our webhooks include a signature in the request headers to ensure authenticity and integrity. This document explains how the signature is generated and how you can verify it to ensure that the webhook payload was sent by our system.

Webhook Signature

When we send a webhook, the x-webhook-wp-signature header will contain a Bearer token. This token is a SHA256 hash that you can use to verify the authenticity of the webhook request.

Payin Webhook Signature

For a Payin webhook, you need to concatenate the following fields in the exact order: 
{id}{key}{amount}{api_key}
Where:
  • {id}: The unique identifier of the transaction
  • {key}: A specific key associated with the transaction. In the case of Payin creation, the value used for key is the hash field returned in the response
  • {amount}: The amount involved in the transaction
  • {api_key}: Your API key used for authentication
In Payin webhooks, for cases where the Payin is canceled and the paid_amount field in the webhook is null, the {amount} value used in the signature calculation is still the original amount that was specified when the Payin was created — not the null value.Therefore, always ensure that signature verification uses the original Payin amount, regardless of the payment status.

Payout Webhook Signature

For a Payout webhook, the following fields should be concatenated: 
{invoice}{currency}{amount}{api_key}
Where:
  • {invoice}: The invoice number of the payout transaction
  • {currency}: The currency used in the payout
  • {amount}: The amount of the payout
  • {api_key}: Your API key used for authentication

Automatic PIX Webhook Signature

For Automatic PIX related data (authorizations, schedules and payins’ webhooks), the following fields should be concatenated: 
{merchant_id}{contract_id}{api_key}
Where:
  • {merchant_id}: Merchant ID of the user that created the authorization
  • {contract_id}: Contract ID of the authorization
  • {api_key}: API Key of the user that created the authorization

Signature Verification

To verify the webhook’s authenticity:
  1. Concatenate the required fields (depending on whether the webhook is for a Payin, Payout, or Automatic PIX)
  2. Generate a SHA256 hash of the concatenated string
  3. Compare the generated hash with the token provided in the x-webhook-wp-signature header
If the hashes match, the webhook is verified as authentic.

Examples

Payin

For a Payin webhook with the following data:
  • {id} = 123456
  • {key} = ABCD
  • {amount} = 10.00
  • {api_key} = FF9876543210
Concatenated string: 123456ABCD10.00FF9876543210 To verify the authenticity of the webhook, generate the SHA256 hash of this string and compare it with the x-webhook-wp-signature header.

Payout

For a Payout webhook with the following data:
  • {invoice} = WE00000001
  • {currency} = BRL
  • {amount} = 5.00
  • {api_key} = FF99775566ffddhh
Concatenated string: WE00000001BRL5.00FF99775566ffddhh To verify the authenticity of the webhook, generate the SHA256 hash of this string and compare it with the x-webhook-wp-signature header.

Automatic PIX

For an Automatic PIX webhook with the following data:
  • {merchant_id} = 467
  • {contract_id} = A001
  • {api_key} = FF99775566ffddhh
Concatenated string: 467A001FF99775566ffddhh To verify the authenticity of the webhook, generate the SHA256 hash of this string and compare it with the x-webhook-wp-signature header.

KYC Webhook

Learn about KYC webhooks

Payin Callback

Payin webhook callback

Payout Callback

Payout webhook callback
For any further questions or issues, please reach out to our support team.