Integration

Here are the steps to follow for a proper integration of webhooks :

Create a callback HTTP endpoint to receive webhooks requests.

This endpoint must be able to process a POST request as below:

URL: https://website.com/webhook_payment
METHOD: POST
HEADERS:

ContentType: application/json
Hub2-Signature: s1=XXXXXX,s0=XXXXXX

BODY:

{
	"type": "payment_intent.created",
	"data": {
		"id":"pi_9lEjld8yF2USvijl7mnId",
		"merchantId":"10",
		"createdAt":"2021-03-03T11:16:39.280Z",
		"updatedAt":"2021-03-03T11:16:39.288Z",
		"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjaGFudElkIjoiMTAiLCJtb2RlIjoic2FuZGJveCIsInBheW1lbnRJZCI6InBpXzlsRWpsZDh5RjJVU3Zpamw3bW5JZCIsImlhdCI6MTYxNDc3MDE5OX0.fkak8HAfHvcCeCxtzBEx1bE39oWl4vkGNgWdhnAmhXo",
		"purchaseReference":"ref_2020_11_10_001",
		"customerReference":"cust_01924059",
		"status":"payment_required",
		"amount":100,
		"currency":"XOF",
		"payments":[],
		"mode":"sandbox"
	},
	"id": "evt_O80mmIF5CNrBMbZIyHJye",
	"createdAt": "2021-03-03 11:16:39.685+00"
}

This is an example of webhook issued by a payment_intent.created event.

Call HUB2 API to register this endpoint and subscribe to a webhook event.

The HUB2 API does have a dedicated endpoint for this action. It must be called with the following body:

{
	"url": "https://website.com/webhook_payment",
	"events": [
		"payment.created",
		"payment_intent.created",
	],
	"description": "This is a webhook trigger upon payment & payment_intent creation",
	"metadata": {}
}

Here are samples of code to perform this:

This is a sample of the HUB2 API response to this call:

{
	"id": "wh_z1urYtVFgEebtcj8fxp4v",
	"createdAt": "2020-10-15T12:09:49.355Z",
	"updatedAt": "2020-10-15T12:09:49.355Z",
	"mode": "live",
	"description": "This is a webhook trigger upon payment & payment_intent creation",
	"events": ["payment.created", "payment_intent.created"],
	"metadata": { },
	"secret": "5257a869e7ecebeda32affa62cd...",
	"status": "enabled",
	"url": "https://website.com/webhook_payment"
}

This response contains a secret associated with the created webhook: "secret": "5257a869e7ecebeda32affa62cd...".

The secret must be kept carefully. It will be mandatory to verify the integrity of the webhook.

For more details on the webhooks API, check the following documentation: Webhooks API Documentation

Webhook signature verification.

This step is mandatory to ensure that no one can forge fake webhooks.

Skipping this step may offer a vulnerability to harmful people, allowing them to automatically validate transactions themselves.

To ensure the webhook received comes from the HUB2 API, it is imperative to check the signature of the body (payload).

a. Get the secret from the webhook registration.

This secret was generated in step 2, "secret": "5257a869e7ecebeda32affa62cd..." in our example.

b. Sign the payload.

Extract the contents of the BODY from the POST request sent by Hub2 first (see Json response). It should result in a characters string that must be signed via HMAC256 and the secret.

Here are some examples of procedures depending on the programming language used :

The request body must be in JSON string. Either the framework used directly returns a JSON string or it must be transformed to JSON format with a call like JSON.stringify() on the body of the request.

c. Check signature.

Finally, the computed signature must be compared to the one provided by HUB2, located in the HEADERS of the POST request.

Hub2-Signature: s1=ABCD,s0=XYZ

Hub2-Signature: Header name
s1: Signature computed using current secret.
s0: Signature computed using old secret oldSecretif present.

When updating a secret, the previous active secret becomes oldSecret for a period of 24 hours and is used to generate the s0 signature.

Getting started

Transfers

Payments

Webhooks

Other

a. Get the secret from the webhook registration.

b. Sign the payload.

c. Check signature.