Flashpay API
  1. Quick Start
Flashpay API
  • Quick Start
    • Overview
    • Configuring the Server
    • Integrating Flashpay in Your Frontend 
    • Webhooks
  • Payments
    • New payment intent
      POST
    • Payment details by ID
      GET
    • Recent payment by destination account
      GET
  • Banks
    • Fetch list of available banks
      GET
  1. Quick Start

Webhooks

Webhooks#

Flashpay uses webhooks to notify your application when an event happens in your account. Webhooks are particularly useful for asynchronous events like payment status updates.

The Webhook Event#

When an event occurs, we send a HTTP POST request to your configured webhook URL. The request body contains the Payment object in JSON format.

Example Payload#

{
    "id": "pay_123456789",
    "amount": 5000,
    "currency": "NGN",
    "status": "SUCCESSFUL",
    "reference": "ref_987654321",
    "description": "Payment for Order #123",
    "ownerId": "bus_123",
    "destinationAccount": "1234567890",
    "destinationAccountName": "John Doe",
    "createdAt": "2023-11-25T10:00:00Z",
    "updatedAt": "2023-11-25T10:05:00Z"
}

Security#

We sign every webhook event so you can verify that it was sent by Flashpay.

Headers#

Every webhook request includes the following headers:
HeaderDescription
X-Webhook-SignatureThe HMAC-SHA256 signature of the request.
X-Webhook-TimestampThe Unix timestamp (in seconds) when the webhook was sent.

Verifying Signatures#

1.
Extract the headers: Get X-Webhook-Signature and X-Webhook-Timestamp.
2.
Construct the signed content: Concatenate the timestamp, a dot (.), and the raw request body.
signed_content = "{timestamp}.{raw_body}"
3.
Generate the expected signature: Compute an HMAC-SHA256 signature of signed_content using your Webhook Secret as the key.
4.
Compare signatures: Compare your generated signature with the X-Webhook-Signature header.
[!IMPORTANT]
To prevent replay attacks, verify that the X-Webhook-Timestamp is within a 5-minute tolerance of your server time.

Example (Node.js)#

Retries#

If your server returns a non-2xx response, we will retry the webhook delivery 3 times with exponential backoff.
1.
Attempt 1: Immediate
2.
Attempt 2: +100ms
3.
Attempt 3: +200ms
4.
Attempt 4: +400ms
If all retries fail, we stop sending the event.
Modified at 2025-11-25 16:47:20
Previous
Integrating Flashpay in Your Frontend 
Next
New payment intent
Built with