Skip to main content

Verifying Webhooks

This is a guide to show how you're expected to confirm that a webhook comes from Credo Central, this is to prevent malicious actors from sending inappropriate data to your webhook endpoint.

Verifying signatures & Constructing the signed content

It is very important to verify that webhooks originate from Credo central.

Each webhook call includes an X-Signature header which is a SHA512 encoded value.

The content to sign is composed by concatenating the Token and Business_code. In code, it will look something like:


const signedContent = "${Token}${Business_code}"

Webhook Structure Format

{
  "event": "transaction.successful",
  "data": {
    "businessCode": "700607002190001",
    "transRef": "cI9H00N2AB02Qb0s69Mj",
    "businessRef": "PL1683423455304ATm",
    "debitedAmount": 1000.0,
    "transAmount": 1000.0,
    "transFeeAmount": 15.0,
    "settlementAmount": 985.0,
    "customerId": "larrie4christ@gmail.com",
    "transactionDate": "May 7, 2023, 1:37:53 AM",
    "channelId": 1,
    "currencyCode": "NGN",
    "status": 0,
    "paymentMethodType": "MasterCard",
    "paymentMethod": "Card",
    "customer": {
      "customerEmail": "john.wick@yahoo.com",
      "firstName": "John",
      "lastName": "Wick",
      "phoneNo": "23470122199999"
    }
  }
}

Important: Where event is transaction.settlement.success, empty values would be passed in the Customer object.