Learn how to listen for transactions that happen on your account
A webhook is a URL on your server where we send payloads for transaction events. For example, if you implement webhooks, we will immediately notify your server with a virtualcard.user.kyc.success event once a customer complete kyc.
Whenever you receive a webhook notification from us, return a 200 OK to avoid resending the same event again from our server.
Events
Transactions sent to your webhook URL have event types that provide more information about a transaction. It says what kind of transaction: sent or received and the transaction's status.
Here are the different event types:
| Event Type | Description |
|---|---|
virtualcard.transaction.debit | Debit Transactions on Virtual Cards. |
virtualcard.transaction.reversed | Reversed Transactions on Debited Transactions. |
virtualcard.transaction.credit | Credit Transactions on Virtual Card. |
virtualcard.user.kyc.success | User successfully registered. |
virtualcard.user.kyc.failed | User KYC registration failed. |
virtualcard.created.success | Virtual card created successfully. |
virtualcard.created.failed | Error creating virtual card. |
virtualcard.transaction.declined | When a card transaction is declined by a vendor. |
Verifying Events
It is necessary to verify that these events come from EverTry to avoid creating transactions due to a fraudulent event.
To verify events, validate the X-EverTry-Hmac-Sha256 header sent with the event. The HMAC SHA512 signature is the event payload signed with your api key.
const crypto = require('crypto');
const webhookSecret = process.env.EVERTRY_API_KEY;
// Using Express
app.post("/webhook_url", function(req, res) {
// Validate event
const hash = crypto.createHmac('sha512', webhookSecret).update(JSON.stringify(req.body)).digest('hex');
if (hash === req.headers['X-EverTry-Hmac-Sha256']) {
// Retrieve the request's body
const event = req.body;
// Do something with the event
}
res.sendStatus(200);
});
import hmac
from hashlib import sha512
def webhook_verification(request):
secret = os.environ.get("EVERTRY_API_KEY")
signature = request.headers.get('X-EverTry-Hmac-Sha256')
computed_sig = hmac.new(
key=webhook_secret.encode("utf-8"), msg=request.body, digestmod=sha512
).hexdigest()
return signature == computed_sig
$webhookSecret = EVERTRY_API_KEY;
$data = json_encode($_POST);
$hash = hash_hmac('sha512', $data, $webhookSecret);
if ($hash == $_SERVER['X-EverTry-Hmac-Sha256']) {
// Do something with event
}