Ad hoc webhooks

How to secure your callback endpoints

When sending a payment or creating a local withdrawal you can provide us a webhook (callback) URI - callbackUri. We will call it when a payment or withdrawal status changes.

We recommend API clients to generate and add ?signature=ASecretPerPaymentKey query to your callbackUri to make sure it's Flash Payments calling your webhook endpoint. For example:

To avoid storing the signatures in a database we recommend generating them on the fly using a strong hash function or any kind of cryptography.


This is just an example. Feel free to sign your URLs the way you want.

You would need to implement two functions.

  1. Function to generate "signature".

  2. Function to verify the "signature".

Generating signatures

Node.js pseudo code for creating transfers in Flash Payments API.

const secret = 'abcdefg';
function generateSignature(string) {
  return require('crypto')
    .createHmac('sha256', secret)

const signature = generateSignature(stringIdFromMyDatabase);
const callbackUri = 
  "" + signature;
const externalId = stringIdFromMyDatabase;

// Use both callbackUri and externalId when creating transfers with Flash Payments API

The code above creates a callbackUri and externalId variables. Use both of them when creating a transfer in Flash Payments API.

Verifying signatures

Node.js pseudo code of the webhook endpoint HTTP request handler.

function myCallbackEndpointHandler(req, res) {
  const signature = req.query.signature;
  const stringIdFromMyDatabase = req.body.externalId;
  if (generateSignature(stringIdFromMyDatabase) !== signature) {
    console.error("Security warning! Webhook endpoint received bad data", req);
  // proceed with the webhook processing

Last updated