Skip to main content

POST Transaction Notification

After a payment flow is finished by customer a notification will be sent from Credify servers to your store. The below guide explains the API specification for accepting transaction notification.

caution

This is only required for custom e-commerce stores, if you are using WooCommerce or Shopify follow the instructions in merchant dashboard.

API Specifications

Endpoint:

POST <Notification Base API URL>
x-hmac-signature: <HMAC Hash>

For this integration method, you will need to provide an endpoint to hook the transaction notifications to, with the following specs.

  • HTTPS enabled.
  • POST enabled
  • Max of 2048 characters url.
  • Should expect a json payload: 
    {
        "orderId": "<Order ID>",
        "type": "<Operation Type>",
        "refundAmount": "<nullable refund amount>",
        "timeStamp": 1732742969
    }
ParameterDescription
Notification Base API URLYou can pick any base URL on your website and inform Credify with the URL during the setup process
HMAC HashHMAC Hash of the request body, this hash can be used to validate the authenticity of the request.
orderIDA unique order identifier that was initially sent by iframe/your website
typeRepresents the type of the transaction
refundAmountA decimal representing the partially refunded amount, will be null in all operations that are not PartialRefund.
timestampA timestamp that was taken upon sending the notification. Can be used by your side for better security controls.

Notification types

  • "Cancel" : payment flow cancelled by user.
  • "Purchase" : payment flow finished and user made a transaction.
  • "Refund" : Merchant user fully refunded the payment.
  • "PartialRefund" : Merchant user partially refunded the payment and "refundAmount" will contain the refunded amount.

Expected Response

Successful HTTP status (200 Response)

Validating the HMAC

To ensure the integrity and authenticity of the URL with HMAC, you can validate the HMAC provided in the header by calculating HMAC hash of the request body. Here is a step-by-step guide on how to validate the HMAC:

  1. Take JSON request Body as text
  2. Generate HMAC: Use the same HMAC secret to generate a hash from the request body.
  3. Compare HMACs: Compare the generated HMAC with the provided HMACHash in the header. If they match, the URL is valid.
const express = require('express')
const crypto = require('crypto')
const bodyParser = require('body-parser')

const app = express()
app.use(bodyParser.json())

const HMAC_SECRET = 'your_hmac_secret'

function validateHMAC(secret, message, providedHMAC) {
    const hmac = crypto.createHmac('sha256', secret)
    const hash = hmac.update(message).digest('hex')
    return hash === providedHMAC
}

app.post('/notification', (req, res) => {
    const providedHMAC = req.headers['x-hmac-signature']
    const jsonData = JSON.stringify(req.body)

    if (validateHMAC(HMAC_SECRET, jsonData, providedHMAC)) {
        // Process the notification
        res.status(200).send('Notification received')
    } else {
        res.status(401).send('Invalid HMAC')
    }
})

app.listen(3000, () => {
    console.log('Server is running on port 3000')
})

Error Handling

In case the notify API returns non-success status code, Credify services will keep retrying for approximatly 10 times. Please make sure to log notification requests for monitoring and to be able to ensure successful integration.