Webhook Introduction

Listen to events in your Yobopay account on your webhook endpoint so your integration can automatically trigger reactions.

When building Yobopay integrations, you might want your applications to receive events as they occur in your Yobopay accounts, so that your backend systems can execute actions accordingly.

Create an event destination to receive events at an HTTPS webhook endpoint. After you register a webhook endpoint, Yobopay can push real-time event data to your application’s webhook endpoint when events happen in your Yobopay account. Yobopay uses HTTPS to send webhook events to your app as a JSON payload that includes an Event object.

Get Started

Create a Webhook Endpoint

Create a webhook endpoint handler to receive event data POST requests.

Use HTTP/HTTPS for sandbox testing; HTTPS is mandatory for production.

Data Signature Validation

Verify request authenticity using HMAC-SHA256 signatures (see ).

Endpoint Configuration Example

Signature Validation Steps

Extract Headers

Generate Signed Payload

Compute HMAC-SHA256 Signature

Validate Signatures

Compare computed signature with header value.

Tolerate minor timestamp discrepancies (e.g., ±30 seconds)

Best Practices

Security: Store webhook_secret_key in secure vaults.

Idempotency: Design endpoints to handle duplicate events safely.

Error Handling: Return 200 OK only after successful validation to prevent retries.

Always validate signatures before processing payloads

Reject requests with invalid/missing timestamps (risk of replay attacks)

Webhook Introduction

Get Started#

Endpoint Configuration Example#

Signature Validation Steps#

Best Practices#

Get Started

Endpoint Configuration Example

Signature Validation Steps

Best Practices