Flash Payments Developer API
Back to Flash PaymentsGraphQL Playground
  • Overview
  • Basics
    • Sending data as JSON
  • Authentication
  • Quote
  • Conversions
    • Query conversions
    • Conversion statuses
  • Balance
    • Statement
  • Recipients
    • Required fields
  • Senders
  • Payments
    • Payment statuses
    • Query payments
    • Send funds
    • Auto receive funds
  • Institutions
  • Withdrawals
    • Withdraw funds
    • Withdrawal statuses
    • Query withdrawals
  • Deposits
    • Deposit statuses
    • Query deposits
    • Refund deposits
  • Sub-clients
    • Create sub-clients
    • Disable, Activate and Update sub-clients
    • Query sub-clients
  • Webhooks
    • Regular webhooks
    • Ad hoc webhooks
  • Reference data
    • Bank information
    • Rejection codes
  • Change log
Powered by GitBook
On this page
  • Example
  • Generating signatures
  • Verifying signatures

Was this helpful?

Edit on GitHub
Export as PDF
  1. Webhooks

Ad hoc webhooks

How to secure your callback endpoints

PreviousRegular webhooksNextReference data

Last updated 6 months ago

Was this helpful?

When , or you can provide us a webhook (callback) URI - callbackUri. We will call it when a payment or withdrawal status changes.

We recommend API clients to generate and add ?signature=ASecretPerPaymentKey query to your callbackUri to make sure it's Flash Payments calling your webhook endpoint. For example:

https://my-webhooks.example.com/flash-payments?signature=oZaDlmfXbdXSKCnuWrvos2ImVBFX2Ru5

To avoid storing the signatures in a database we recommend generating them on the fly using a strong hash function or any kind of cryptography.

Example

This is just an example. Feel free to sign your URLs the way you want.

You would need to implement two functions.

  1. Function to generate "signature".

  2. Function to verify the "signature".

Generating signatures

Node.js pseudo code for creating transfers in Flash Payments API.

const secret = 'abcdefg';
function generateSignature(string) {
  return require('crypto')
    .createHmac('sha256', secret)
    .update(string)
    .digest('base64');
}

const signature = generateSignature(stringIdFromMyDatabase);
const callbackUri = 
  "https://my-webhooks.example.com/flashfx?signature=" + signature;
const externalId = stringIdFromMyDatabase;

// Use both callbackUri and externalId when creating transfers with Flash Payments API

The code above creates a callbackUri and externalId variables. Use both of them when creating a transfer in Flash Payments API.

Verifying signatures

Node.js pseudo code of the webhook endpoint HTTP request handler.

function myCallbackEndpointHandler(req, res) {
  const signature = req.query.signature;
  const stringIdFromMyDatabase = req.body.externalId;
  
  if (generateSignature(stringIdFromMyDatabase) !== signature) {
    console.error("Security warning! Webhook endpoint received bad data", req);
    res.sendStatus(500);
    return;
  }
  
  // proceed with the webhook processing
}
sending a payment
creating a local withdrawal
ordering a conversion