Webhooks
Receive real-time transaction results on your own server via HMAC-SHA256-signed webhook URLs.
Webhooks deliver the final result of a transaction to your server in real time. Because POST /api/payments/performTransaction returns only PROCESS/100, a registered webhook is how you learn whether a transaction was approved or declined.
The flow is: generate a signed URL, register it for a terminal, then receive callbacks on your server. A testing endpoint lets you fire a simulated notification before going live.
Generate webhook URL — POST /api/webhooks/generate-url
POST /api/webhooks/generate-urlGenerates a signed webhook URL with HMAC-SHA256 authentication.
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
clientId | string | Yes | Your client identifier |
terminalId | string | Yes | Terminal to receive notifications for |
secretKey | string | Yes | Secret key for URL signing |
baseUrl | string | Yes | Your server's base URL |
webhookPath | string | Yes | Path to receive webhook callbacks |
signatureAlgorithm | string | Yes | Signing algorithm (HMAC_SHA256) |
tokenExpiryHours | string | Yes | Token validity in hours |
retryAttempts | string | Yes | Number of retry attempts on failure |
Request
{
"clientId": "merchant1",
"terminalId": "8184000200000077",
"secretKey": "pos123",
"baseUrl": "https://app.hooklistener.com",
"webhookPath": "w/my-first-endpoint-2mtj",
"signatureAlgorithm": "HMAC_SHA256",
"tokenExpiryHours": "24",
"retryAttempts": "3"
}
Response
{
"success": true,
"message": "Webhook URL generated successfully",
"webhookUrl": "https://app.hooklistener.com/w/my-first-endpoint-2mtj?token=...",
"generatedAt": "2026-03-25T12:24:38.997616332",
"expiresAt": "2026-03-26T12:24:38.997616332",
"details": {
"webhookPath": "w/my-first-endpoint-2mtj",
"baseUrl": "https://app.hooklistener.com",
"clientId": "merchant1",
"terminalId": "8184000200000077",
"tokenExpiryHours": 24,
"retryAttempts": 3,
"algorithm": "HMAC_SHA256"
}
}
Register webhook — POST /api/webhooks/register
POST /api/webhooks/registerRegisters a webhook URL to receive transaction notifications for a terminal.
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
terminalId | string | Yes | Terminal to register webhook for |
callbackUrl | string | Yes | Generated webhook URL with token |
secretKey | string | Yes | Secret key for verification |
Request
{
"terminalId": "8184000200000077",
"callbackUrl": "https://app.hooklistener.com/w/my-first-endpoint-2mtj?token=...",
"secretKey": "pos_secret_123"
}
Response
{
"status": "SUCCESS",
"message": "Webhook URL registered successfully",
"terminalId": "8184000200000077",
"callbackUrl": "https://app.hooklistener.com/w/my-first-endpoint-2mtj?token=...",
"registeredAt": "2025-12-26T05:50:29.928462500Z",
"instructions": "You will receive webhook notifications at this URL",
"registrationInfo": {
"clientIdentifier": "merchant1",
"terminalId": "8184000200000077",
"registeredAt": "2025-12-26T05:50:29.927467300Z",
"expiresAt": "2025-12-27T05:50:29.927467300Z",
"isExpired": "false",
"secretPresent": "true"
}
}
Receive webhook notification — POST /api/webhooks/receive?token={token}
POST /api/webhooks/receive?token={token}This is the endpoint on your server that receives real-time transaction notifications from the middleware. The token query parameter is required for authentication and is included automatically in the generated webhook URL. The middleware calls this endpoint when a transaction completes.
Request parameters (all optional; populated per transaction)
| Parameter | Type | Description |
|---|---|---|
transactionId | string | Transaction identifier |
transactionType | string | Type of transaction (e.g. PURCHASE) |
panNumber | string | Masked card PAN number |
transactionAmount | string | Transaction amount |
responseCode | string | Response code from the terminal |
responseMessage | string | Response message |
rrn | string | Retrieval Reference Number |
authCode | string | Authorization code |
tid | string | Terminal ID |
mid | string | Merchant ID |
batchNo | string | Batch number |
dateTime | string | Transaction date and time |
cardEntryMode | string | How the card was entered |
merchantName | string | Merchant name |
merchantAddress | string | Merchant address |
signature | string | Transaction signature |
Request
{
"transactionId": "TXN1001",
"transactionType": "PURCHASE",
"panNumber": "455********676",
"transactionAmount": "150"
}
Notify webhook (testing) — POST {registeredWebhookUrl}
POST {registeredWebhookUrl}For testing only. Call this using the full registered webhook URL (including its token) as the endpoint — the same URL returned by Generate Webhook URL and stored during Register Webhook. Sending a POST with a simulated transaction body lets you verify your receiver processes notifications correctly before live transactions occur.
POST https://app.hooklistener.com/w/my-first-endpoint-2mtj?token=bmFtaTo4MTg0MD...
Request parameters (all optional)
| Parameter | Type | Description |
|---|---|---|
transactionId | string | Transaction identifier to simulate |
transactionType | string | Type of transaction (e.g. PURCHASE) |
panNumber | string | Masked card PAN number |
transactionAmount | string | Transaction amount |
responseCode | string | Response code |
responseMessage | string | Response message |
rrn | string | Retrieval Reference Number |
authCode | string | Authorization code |
tid | string | Terminal ID |
mid | string | Merchant ID |
Request
{
"transactionId": "TXN1001",
"transactionType": "PURCHASE",
"panNumber": "455********676",
"transactionAmount": "150"
}
Response
{
"message": "Notification sent successfully",
"status": "SUCCESS"
}
Verify the signature on every callback
Webhook URLs are signed with HMAC-SHA256 using your
secretKey. Validate the signature on each received notification before trusting its contents, and have your receiver tolerate retries (retryAttempts) idempotently usingtransactionId/rrn.