Webhooks
Whenever a transaction is initiated, we update the merchant on the status of the transaction with the help of webhooks. Our onboarding team will share the IP address from which webhook calls will be made to the merchant's endpoints. We advise the merchant to whitelist only these IP addresses from which legitimate calls from Zamp will be delivered.
IP addresses to whitelist
| Environment | IP address |
|---|---|
| Stage | 34.87.148.68 |
| Production | 35.240.227.82 |
Validating X-ZAMP-Signature
Once the merchant receives the webhook call, we first request the merchant to validate if the call is truly made by Zamp. In order to validate that, we request you to extract the header key X-ZAMP-Signature and validate against the logic below. The message consists of comma separated string with values payment_session_id, status of paymentSession. The result of the code block below and the value present in the X-ZAMP-Signature key should match.
const message = "merchant_uNR5Kc6a2zTdfqbLsDwxUZ_06_15,initiated";
const sha_message = CryptoJS.SHA256(`${message}:${ZAMP_SECRET}`);
const x_zamp_signature = CryptoJS.enc.Base64.stringify(sha_message);
Request body
The request body will consist of the transaction_type and transaction_id. The data passed in the request body will be the same as that particular transaction type's GET API.
For example, if the transaction is of type payment_session, the response in the data parameter will be the same result as API GET https://api.zamplabs.com/payment/v1/payment-sessions/{payment-session-id}.
Request body fields
| Field | Type | Description | Required |
|---|---|---|---|
| transaction_type | string | payment_session or refund. | Yes |
| transaction_id | string | payment_session_id or refund_id. | Yes |
| data | object | Same shape as the corresponding GET API response. | Yes |
Example payload
{
"transaction_type": "{{payment_session/refund}}",
"transaction_id": "{{payment_session_id/refund_id}}}",
"data":{
"id": "merchant_uNR5Kc6a2zTdfqbLsDwxUZ_06_15",
"reference_id": "asdaswqwqwewqe",
"merchant_id": "merchant_9GtnphjB6rbcvwb7eP5xid_05_27",
"status": "initiated",
"failure_code": "",
"amount": 100,
"source_currency": "USD",
"source_account": "0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963",
"payment_option_id": "merchant_9GthjB6rbcvwb7eP5xid_05_27",
"payment_option_code": "Metamask",
"success_redirect_url": "https://merchantWebsite.com/crypto_payment_initiated",
"failure_redirect_url": "https://merchantWebsite.com/crypto_payment_failed",
"risk_score": "lowRisk",
"created_at": "2022-06-15T06:33:20.656893Z",
"updated_at": "2022-06-15T07:12:29.476202Z",
"expires_at": "2022-06-15T07:33:20.654882583Z"
}
}
Expected response and retries
We expect the merchant to return an HTTP 200 OK status in case they have received the message. In the absence of a HTTP 200 OK response, Zamp will retry the webhook with backoff exponential logic with a doubling delay. Retries will be done for a maximum of 24 hours.