🔙Postback

Communication takes place with the help of postback requests (postbacks). After each Client request for input or output, a postback is sent to the Client with the result of the operation.

Receiving the postback

To accept postbacks, you need to implement a separate path that you can use to receive postbacks. They are sent via a POST request in JSON format.

The A-pay server is waiting for a response in json

{ 
"status": "OK" 
}

Response code 200, otherwise, when receiving a different response, A-pay will forward the postback with a certain frequency.

Deposit

Client-side signature generation

When sending webhooks, A-Pay also sends a signature: a specifically generated hash string that is created using a private key.

The signature itself is calculated as follows:

$signature = sha1($access_key . $private_key . md5($transactions->toJson(JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE)));

a string of three parameters is passed to the sha1 function:

As a result of executing this code, a string is obtained that cannot be faked without having a private key that is not passed in webhooks.

The client can compare the generated signature with the received signature from the webhook and thereby make sure that the data that came was actually sent and not faked by a scammer.

Postback of transactions for deposit

Request body schema:

List of transactions:

Example of a postback sent by a POST request in JSON format:

{
  "access_key": "mrOYReXJphqo7lkL",
  "signature": "dfsfrwe3344d",
  "transactions": [
    {
      "order_id": "7fa13dbc3b79e05e",
      "status": "Success",
      "amount": 6008.39,
      "currency": "INR",
      "payment_system": "mpesa",
      "custom_transaction_id": "string",
      "custom_user_id": "string",
      "created_at": 1665731710,
      "activated_at": 1665731710
    }
  ]
}

Responses:

If {"status":"OK"} was passed, we consider the webhook successfully delivered.

Example of a response:

{
    "status": "OK"
}

Withdrawal

Client-side signature generation

When sending webhooks, A-Pay also sends a signature: a specifically generated hash string that is created using a private key.

The signature itself is calculated as follows:

$signature = sha1($access_key . $private_key . md5($transactions->toJson(JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE)));

a string of three parameters is passed to the sha1 function:

As a result of executing this code, a string is obtained that cannot be faked without having a private key that is not passed in webhooks.

The client can compare the generated signature with the received signature from the webhook and thereby make sure that the data that came was actually sent, and not faked by a scammer.

Postback of transactions for deposit

Request body schema:

List of transactions:

Example of a postback sent by a POST request in JSON format:

{
  "access_key": "mrOYReXJphqo7lkL",
  "signature": "dfsfrwe3344d",
  "transactions": [
    {
      "order_id": "7fa13dbc3b79e05e",
      "status": "Success",
      "amount": 6008.39,
      "currency": "INR",
      "payment_system": "mpesa",
      "custom_transaction_id": "string",
      "custom_user_id": "string",
      "created_at": 1665731710,
      "activated_at": 1665731710
    }
  ]
}

Responses:

If {"status":"OK"} was passed, we consider the webhook successfully delivered.

Example of a response:

{
    "status": "OK"
}

Expected responses to postbacks from a client:

  • If successful, expect the client to have http status - 2XX.

  • All 200th codes should be accompanied by "status" = "ok"

  • In case of failure, expect from the client http status other than 2XX (depending on the error) and an error message. For example, "error validation" or "not enough fields".

PreviousExampleNextSettlement

Last updated