Webhook Setup

Goal

Set up a webhook endpoint so SMS Pay can notify your backend when payment status changes. Merchant admins configure endpoints in the dashboard; developers implement the receiving route.

Add endpoint in dashboard

Open Dashboard -> Webhooks.
Click Add endpoint.
Enter your HTTPS endpoint URL, for example https://merchant.example.com/webhooks/sms-pay.
Choose the events this endpoint should receive.
Enter or generate a signing secret and store it in your backend environment.
Save the endpoint.
Click Verify.
Send a test event.

Production endpoints must use HTTPS.

Event selection

Subscribe to:

Event	Recommended handling
`payment.paid`	Mark the order paid and fulfill.
`payment.review_required`	Alert operations; do not fulfill.
`payment.expired`	Mark the payment attempt expired.
`payment.rejected`	Mark the attempt rejected after review.

For most merchants, one endpoint subscribed to all four events is simplest.

Backend environment

SMS_PAY_WEBHOOK_SECRET=whsec_minimum_16_characters

Keep the secret private. Rotate it if it is exposed.

Signature verification

Verify X-Webhook-Signature against the raw request body before parsing JSON.

import crypto from "node:crypto";
import express from "express";

const app = express();
const secret = process.env.SMS_PAY_WEBHOOK_SECRET!;

function safeEqual(left: string, right: string) {
  const a = Buffer.from(left);
  const b = Buffer.from(right);
  return a.length === b.length && crypto.timingSafeEqual(a, b);
}

app.post(
  "/webhooks/sms-pay",
  express.raw({ type: "application/json" }),
  async (req, res) => {
    const rawBody = req.body as Buffer;
    const signature = req.header("x-webhook-signature") ?? "";
    const expected =
      "sha256=" +
      crypto.createHmac("sha256", secret).update(rawBody).digest("hex");

    if (!safeEqual(signature, expected)) {
      return res.status(401).send("invalid signature");
    }

    const webhookId = req.header("x-webhook-id");
    const eventType = req.header("x-webhook-event");
    const payload = JSON.parse(rawBody.toString("utf8"));

    await saveWebhookOnce(webhookId, payload);

    if (eventType === "payment.paid") {
      await markOrderPaid({
        smsPayPaymentIntentId: payload.data.payment_intent_id,
        merchantReference: payload.data.merchant_reference,
      });
    }

    return res.status(200).send("ok");
  },
);

Payload fields

{
  "event": "payment.paid",
  "environment": "SANDBOX",
  "timestamp": "2026-05-05T10:01:00.000Z",
  "data": {
    "payment_intent_id": "b5012f33-207e-4999-bf8d-5a1ebb10988e",
    "amount": "500",
    "currency": "BDT",
    "customer_reference": "SP7A91BC2D0",
    "merchant_reference": "ORDER-10045"
  }
}

Use merchant_reference to find your order when available. Use payment_intent_id as the stable SMS Pay fallback.

Verify button

Verify checks whether your endpoint can receive SMS Pay verification requests. Verification is a setup health check; it does not prove your fulfillment logic is complete.

Test button

Test sends a selected event to your endpoint and records the delivery result. Use it to confirm:

signature verification works
endpoint returns 2xx
your idempotency storage works
your handler ignores non-paid events for fulfillment

Delivery inspection

Dashboard -> Webhooks shows delivery status, HTTP status, attempts, payload, response body, and retry state. Use this page when an order did not update in your system.

Add endpoint in dashboard

Open Dashboard -> Webhooks.

Click Add endpoint.

Enter your HTTPS endpoint URL, for example https://merchant.example.com/webhooks/sms-pay.

Choose the events this endpoint should receive.

Enter or generate a signing secret and store it in your backend environment.

Save the endpoint.

Click Verify.

Send a test event.