Receive real-time notifications when events happen in your Kaadxpay account.
Configure webhook endpoints in your merchant dashboard (B05-02).
Kaadxpay sends HTTP POST to your endpoint with event data. Auto-retry up to 5 times.
Validate HMAC-SHA256 signature to ensure authenticity.
Important: Always verify webhook signatures before processing events. The signature is sent in the X-Kaadxpay-Signature header using HMAC-SHA256.
const crypto = require('crypto');
function verifyWebhookSignature(payload, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(payload, 'utf8')
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature, 'hex'),
Buffer.from(expected, 'hex')
);
}
// In your webhook handler:
app.post('/webhook', (req, res) => {
const signature = req.headers['x-kaadxpay-signature'];
const isValid = verifyWebhookSignature(
JSON.stringify(req.body),
signature,
'whsec_your_webhook_secret'
);
if (!isValid) return res.status(401).send('Invalid signature');
// Process event...
res.status(200).send('OK');
});| Attempt | Delay | Timeout |
|---|---|---|
| 1st retry | 1 min | 30s |
| 2nd retry | 5 min | 30s |
| 3rd retry | 30 min | 30s |
| 4th retry | 2 hours | 30s |
| 5th retry | 24 hours | 30s |
After 5 failed attempts, the webhook endpoint will be marked as unhealthy and you will receive an email notification.