POST
request to your designated endpoint.
add a webhook
test a webhook
POST
request to your destination with the example payload shown below. Any response outside the 2XX
range, including 3XX
HTTP redirection codes, will result in a failure.
payment.dateUpdated
is newer compared to the last webhook received.REFUND
transaction in the transactions.status
object to view the outcome:
Field | Description |
---|---|
eventType | The type of event that triggered the webhook. This will have the value DISPUTE.OPENED . This indicates that a dispute notification or chargeback was issued through a configured connection. |
primerAccountId | A unique identifier for your Primer merchant account. |
transactionId | A unique identifier for the Primer transaction corresponding to this dispute. |
orderId | Your reference for the sale transaction that the dispute relates to. |
processorId | The name of the processor that generated the dispute. |
processorDisputeId | A unique identifier for the corresponding connection dispute. |
paymentId | A unique identifier for the Primer payment corresponding to this dispute. |
X-Signature-Primary
header to each event, after which you can verify the signature.
X-Signature-Primary
header is added to all webhook events and is a HMAC signature generated using the webhook payload and a shared signing secret. This is then converted to a base64 encoded string.
The shared signing secret is generated by Primer and is unique to your account (details below). You will use this secret to validate the signature sent by Primer.
X-Signature-Secondary
header will also be added. See more below.signedAt
to indicate the Unix timestamp of when the webhook was signed.
Use this timestamp to drastically reduce the chance of a replay attack. Because the timestamp is included in the payload, the same payload cannot be sent with a different timestamp without causing an invalid signature.
When verifying the signature, you should also validate that the timestamp is within an acceptable threshold from your current system time (in unix epoch format). Primer recommends a threshold of up to 3 minutes.
If Primer retries sending the webhook notification event, the timestamp at the time of sending the retried event is used, so each attempt would have a new timestamp and therefore a new hash.
create webhook secret 2
create webhook secret 1
create webhook secret 3
X-Signature-Primary
→ The payload hashed with the new signing secretX-Signature-Secondary
→ The payload hashed with the previous signing secret
This will give you time to update the stored signing secret within your application before the previous signing secret expires.create webhook secret 4
create webhook secret 5
create webhook secret 6
create webhook secret 7