cURL

curl -X POST "https://dev.api.onekhusa.com/sandbox/v1/merchants/webhooks/verify" \
  --header "Authorization: Bearer your-jwt-token" \
  --header "Content-Type: application/json" \
  --header "Accept-Language: en" \
  -d '{
    "merchantAccountNumber": 12345678,
    "eventCode": "payrequest.success",
    "webhookSignature": "e4V5qKIM2ZX6Gl2A9K9Owy_J98gqBf4VgTF...."
  }'

{
  "merchantAccountNumber": 12345678,
  "isSignatureValid": true
}

Webhooks

Verify Webhook

This endpoint allows the merchants to verify the received webhook notifications against with what was configured under merchant account webhooks before proceeding to process the request instruction to avoid bogus requests.

Obtain event-code and webhook-signature from the received webhook notification using these request headers namely X-OneKhusa-Webhook-Event and X-OneKhusa-Webhook-Signature.

DO NOT compute the received webhook signature with any algorithm such as SHA256, SHA384, SHA512 or encode to base64string but rather set it as is to the payload for equality comparison.

Warning: Do not trust any webhook notifications received by your API endpoints until your system performs verification prior to further processing.

POST

merchants

webhooks

verify

cURL

curl -X POST "https://dev.api.onekhusa.com/sandbox/v1/merchants/webhooks/verify" \
  --header "Authorization: Bearer your-jwt-token" \
  --header "Content-Type: application/json" \
  --header "Accept-Language: en" \
  -d '{
    "merchantAccountNumber": 12345678,
    "eventCode": "payrequest.success",
    "webhookSignature": "e4V5qKIM2ZX6Gl2A9K9Owy_J98gqBf4VgTF...."
  }'

{
  "merchantAccountNumber": 12345678,
  "isSignatureValid": true
}

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer , where is your access token.

Headers

Accept-Language

string

default:en

Preferred language for the response

Body

application/json

merchantAccountNumber

integer

required

An active account number for the merchant registered on OneKhusa for verifying webhooks.

Required range: 10000000 <= x <= 99999999

Example:

12345678

eventCode

string

required

The event code received from webhook notification request.

Example:

"payrequest.success"

webhookSignature

string

required

The unique signature received from webhook notification request.

Example:

"e4V5qKIM2ZX6Gl2A9K9Owy_J98gqBf4VgTF...."

Response

200 - application/json

Success Response (200 OK)

merchantAccountNumber

integer

An account number for the merchant used for verifying webhook notification.

Example:

12345678

isSignatureValid

boolean

This indicates whether webhook notification is valid or not.

Example:

true

Delete Webhook Get Webhook

⌘I

Getting Started

Disbursements

Accept Payments

Merchants

Security

Supporting APIs

Verify Webhook

Authorizations

Headers

Body

Response