webhook | description |
---|---|
draft | Client has created an order and redirected user to purchase |
expired | User did not confirm the purchase and order expired |
declined | User attempted a purchase but their payment attempt was declined |
cancelled | Order was cancelled |
processing | Order was confirmed, waiting for payment |
processed | Payment was processed successfully |
complete | Order was executed and delivered to user |
signedContent = "${webhook-id}.${webhook-timestamp}.${body}"
where body is the raw body of the request.signedContent
from above using the base64 portion of your signing secret (this is the part after the whsec_ prefix) as the key. So if your signing secret is: whsec_ABCDmcQ8DpB7J6Yn4eZqkt48KRPy3a8n
, you’ll want to use ABCDmcQ8DpB7J6Yn4eZqkt48KRPy3a8n
webhook-signature
header; make sure to remove the version prefix and delimiter (e.g. v1,) before verifying the signature.
Please note that to compare the signatures, it’s recommended to use a constant-time string comparison method in order to prevent timing attacks.