Webhooks

This document goes through event listeners that can be called when certain actions are performed.

What are Webhooks

Whenever transactions take place, certain events will be triggered that cooperate with your application. Webhook is a URL on your server that sends these events.

When to use webhooks

Webhooks are supported for all kinds of payment methods, but they’re especially useful for methods and events that happen outside your application’s control, such as:

  • a pending payment transaction to successful.

These are all asynchronous actions—they are not controlled by your application, so you won’t know when they are completed, unless we notify you or you check later.

Setting up a webhook allows us to notify you when these payments are completed. Within your webhook endpoint, you can then:

  • Update your order records when the status of a pending payment id updated to successful.

Enabling webhooks

Here’s how to setup a webhook on your Chapa account:

  1. Login to your dashboard and go to your profile settings.
  2. Navigate to Webhooks tab to add your webhook URL and secret hash
  3. That’s it!

Recieving an event

A webhook URL is an endpoint on your server where you can receive notifications about such events. When an event occurs, we’ll make a POST request to that endpoint, with a JSON body containing the details about the event, including the type of event and the data associated with it.

Example Code

app.post("/my/webhook/url", function(req, res) {
    // Retrieve the request's body
    var event = req.body;
    // Do something with event
     res.send(200);
});

Structure of a webhook payload

The payload for your webhook will depend on if it was initiated by a transfer or by a transaction. You can check the difference by the type attribute. Transfer has "type": "Payout" while the transaction webhook will have the type of transaction, such as Payment Link , API, Event, Donation etc.

{
  "event": "payout.success",
  "type": "Payout",
  "account_name": "Customer Name",
  "account_number": "25190000000",
  "bank_id": 855,
  "bank_name": "telebirr",
  "amount": "2000.00",
  "charge": "60.00",
  "currency": "ETB",
  "status": "success",
  "reference": "MYMER3434989",
  "chapa_reference": "2o10dfs332U",
  "bank_reference": "GT3412w3",
  "created_at": "2023-08-27T19:23:22.000000Z",
  "updated_at": "2023-08-27T19:23:23.000000Z"
}   

Webhook Event Types

Transaction Events

{
"event": "charge.success",
"first_name": "",
"last_name": "",
"email": null,
"mobile": "25190000000",
"currency": "ETB",
"amount": "400.00",
"charge": "12.00",
"status": "success",
"mode": "live",
"reference": "AP634JFwEbxd",
"created_at": "2023-08-27T19:21:18.000000Z",
"updated_at": "2023-08-27T19:21:27.000000Z",
"type": "API",
"tx_ref": "4FGFF4FFGD3",
"payment_method": "telebirr",
"customization": {
  "title": null,
  "description": null,
  "logo": null
},
"meta": null
} 

Transfer Events

{
  "event": "payout.success",
  "type": "Payout",
  "account_name": "Customer Name",
  "account_number": "25190000000",
  "bank_id": 855,
  "bank_name": "telebirr",
  "amount": "2000.00",
  "charge": "60.00",
  "currency": "ETB",
  "status": "success",
  "reference": "MYMER3434989",
  "chapa_reference": "2o10dfs332U",
  "bank_reference": "GT3412w3",
  "created_at": "2023-08-27T19:23:22.000000Z",
  "updated_at": "2023-08-27T19:23:23.000000Z"
}     

Verify webhook origin

When enabling webhooks, you should set a secret hash. Since webhook URLs are publicly accessible, the secret hash allows you to verify that incoming requests are from Chapa. You can specify any string value as your secret hash, but we recommend something random. You should also store it as an environment variable on your server.

We will include it in our request to your webhook URL, in a header called Chapa-Signature. The value of Chapa-Signature header is a HMAC SHA256 signature of your secret key signed using your secret key.

Also we will include another header x-chapa-signature.

In the webhook endpoint, check eitherChapa-Signature or x-chapa-signature headers present and that it matches the secret hash you set. If either one of headers is missing, or the value doesn’t match, you can discard the request, as it isn’t from Chapa.

The value of x-chapa-signature header is a HMAC SHA256 signature of the event payload signed using your secret key.

Verifying either x-chapa-signature or Chapa-Signature header should be done before processing the event.

Example Code

var crypto = require('crypto');
var secret = process.env.SECRET_KEY;
// Using Express
app.post("/my/webhook/url", function(req, res) {
    //validate event
    const hash = crypto.createHmac('sha256', secret).update(JSON.stringify(req.body)).digest('hex');
    if (hash == req.headers['Chapa-Signature']) {
    // Retrieve the request's body
    const event = req.body;
    // Do something with event  
    }
    res.send(200);
});

Acknowledging Webhook Event

When your webhook URL receives an event, it needs to parse and acknowledge the event. Acknowledging an event means returning a 200 OK in the HTTP header. Without a 200 OK in the response header, we’ll keep sending events for the next 72 hours every 10 minutes for the 5 tries.