We never receive webhooks
- Verify your callback URL is publicly reachable (no VPN/IP allowlist blocking).
- Ensure your endpoint accepts
POST application/json. - Check server logs for non-2xx responses; we only consider 200 / 201 / 202 delivered.
We get duplicates
- Retries can cause re-delivery. Implement idempotency with
payment_uuidorclient_reference.
Signature mismatch
- Ensure you build the hash exactly as documented (no separators, consistent string formats).
- Watch out for number formatting on
amount. - See Verify signature for examples.
Timeouts
- Read the body, persist, and return 2xx quickly; do heavy work async.
Metadata not present
metadatais optional; code defensively. See Webhook payload.