Skip to main content

Overview

Webhooks allow Payviox to send real-time notifications to your server when payment events occur. When a payment is processed, Payviox sends an HTTP POST request to your configured webhook URL with the payment details.
Webhooks are essential for keeping your application synchronized with payment statuses. Configure your webhook URL in the Payviox Dashboard under Settings > Webhooks.

Webhook Configuration

Setting Up Your Webhook URL

1

Configure Your Endpoint

Create an endpoint on your server to receive POST requests (e.g., https://yourdomain.com/api/webhook)
2

Add URL to Dashboard

Go to your Payviox Dashboard and navigate to Settings > Webhooks
3

Enter Your Webhook URL

Paste your endpoint URL in the webhook URL field
4

Save Your Webhook Token

Copy your webhook token - you’ll need it to verify webhook signatures
5

Select Webhook Events

Choose which events you want to receive. By default, only succeeded is enabled.

Available Events

You can subscribe to the following webhook events:
EventDescriptionRecommended
succeededPayment completed successfully✅ Always enable
pending_reviewPayment flagged for fraud review✅ If using fraud detection
declinedPayment declined by fraud prevention✅ If using fraud detection
refundedRefund processed✅ If you process refunds
Always verify webhook signatures to ensure requests are coming from Payviox and not from malicious actors.

Webhook Payload Structure

Payviox sends webhooks with the following structure: 
{
  "amount": 10000,
  "currency": "USD",
  "fees": 350,
  "metadata": {
    "integration_session_id": "sess_abc123xyz"
  },
  "type": "succeeded",
  "provider": "stripe",
  "order_id": "order_123456",
  "items": [
    {
      "name": "Premium Subscription",
      "quantity": 1,
      "price": 10000
    }
  ],
  "payment_method": "card",
  "customer": {
    "name": "John Doe",
    "email": "[email protected]",
    "phone": "+1234567890",
    "address": {
      "line1": "123 Main St",
      "city": "Paris",
      "postal_code": "75001",
      "country": "FR"
    }
  }
}

Payload Fields

amount
integer
required
The payment amount in the smallest currency unit (e.g., cents for USD)
currency
string
required
Three-letter ISO currency code (e.g., USD, EUR, GBP)
fees
integer
Total fees amount in the smallest currency unit (e.g., cents for USD). The customer pays amount + fees = total. This field is present when fees have been calculated for the transaction.
metadata
object
required
Custom metadata associated with the payment session
type
string
required
The payment event type. Possible values:
  • succeeded: Payment completed successfully. You can fulfill the order.
  • pending_review: Payment flagged for fraud review. Do NOT ship until you receive succeeded or declined.
  • declined: Payment declined by fraud prevention. Customer has been automatically refunded.
  • refunded: A refund has been processed for this transaction.
provider
string
required
The payment provider used (e.g., stripe, paypal, crypto)
order_id
string
required
Your unique order identifier
items
array
required
Array of items purchased
payment_method
string
Specific payment method used (e.g., card, bank_transfer)
customer
object
Optional. Customer information if available from the payment provider. This field is only present when customer data was collected during payment.

Event Types

Payviox sends different webhook events based on the payment lifecycle. Here’s what each event means and how to handle it:

succeeded - Payment Successful

✅ Payment Successful

The payment has been validated by the payment processor. You can safely fulfill the order.Typical flow:
  1. Customer completes payment
  2. Payment processor confirms the charge
  3. You receive succeeded webhook
  4. Ship the order / provide the service

pending_review - Fraud Review Required

⚠️ Pending Review

The payment has been flagged by our fraud detection system for manual review. Do NOT ship until you receive a final decision.Typical flow:
  1. Customer completes payment
  2. Fraud detection flags the transaction
  3. You receive pending_review webhook
  4. Admin reviews the transaction
  5. You receive either succeeded or declined webhook
Never fulfill orders that are in pending_review status. Wait for the final succeeded or declined webhook.

declined - Fraud Declined

❌ Declined (Fraud)

The payment was automatically declined by the fraud prevention system. The customer has been automatically refunded.Typical flow:
  1. Customer completes payment
  2. Fraud score exceeds threshold
  3. Automatic refund is issued
  4. You receive declined webhook
  5. Do NOT ship the order

refunded - Payment Refunded

↩️ Refunded

A refund has been processed for this transaction.Typical flow:
  1. Original payment was successful
  2. Refund is requested (by you or the customer)
  3. Refund is processed
  4. You receive refunded webhook

Webhook Headers

Every webhook request includes these headers:
HeaderDescription
Content-TypeAlways application/json
SignatureHMAC SHA256 signature for verification

Signature Verification

Critical Security Step: Always verify the webhook signature before processing the payload. This ensures the request is legitimate and from Payviox.
The Signature header contains an HMAC SHA256 hash of the request body, signed with your webhook token. Here’s how to verify it:

Verification Algorithm

  1. Get the raw request body (JSON string)
  2. Compute HMAC SHA256 hash using your webhook token as the secret key
  3. Compare the computed signature with the Signature header
  4. Only process the webhook if signatures match

Implementation Examples

<?php

function verifyWebhookSignature($payload, $receivedSignature, $webhookToken) {
    // Compute the expected signature
    $computedSignature = hash_hmac('sha256', $payload, $webhookToken);
    
    // Use hash_equals to prevent timing attacks
    return hash_equals($computedSignature, $receivedSignature);
}

// Example usage in a Laravel controller
public function handleWebhook(Request $request) {
    // Get the raw payload
    $payload = $request->getContent();
    
    // Get the signature from headers
    $receivedSignature = $request->header('Signature');
    
    // Your webhook token from the dashboard
    $webhookToken = env('PAYVIOX_WEBHOOK_TOKEN');
    
    // Verify the signature
    if (!verifyWebhookSignature($payload, $receivedSignature, $webhookToken)) {
        // Invalid signature - reject the request
        return response()->json(['error' => 'Invalid signature'], 401);
    }
    
    // Parse the verified payload
    $data = json_decode($payload, true);
    
    // Process the webhook based on type
    switch ($data['type']) {
        case 'succeeded':
            // Payment succeeded - fulfill the order
            $this->fulfillOrder($data['order_id'], $data);
            break;
            
        case 'pending_review':
            // Payment flagged for fraud review - DO NOT ship yet
            $this->updateOrderStatus($data['order_id'], 'pending_review');
            break;
            
        case 'declined':
            // Payment declined by fraud prevention - customer refunded
            $this->handleDeclinedPayment($data['order_id']);
            break;
            
        case 'refunded':
            // Payment was refunded
            $this->handleRefund($data['order_id'], $data);
            break;
    }
    
    // Return 200 OK to acknowledge receipt
    return response()->json(['status' => 'success'], 200);
}

private function fulfillOrder($orderId, $webhookData) {
    // Your order fulfillment logic
    $order = Order::where('order_id', $orderId)->first();
    
    if ($order) {
        $order->status = 'completed';
        $order->payment_provider = $webhookData['provider'];
        $order->payment_amount = $webhookData['amount'];
        $order->session_id = $webhookData['metadata']['integration_session_id'];
        $order->save();
        
        // Send confirmation email, provision services, etc.
    }
}

Retry Logic

Payviox implements an automatic retry mechanism for failed webhook deliveries:
1

First Attempt

Instant delivery (0 seconds)
2

Second Attempt

30 seconds after first failure
3

Third Attempt

5 minutes after second failure
4

Fourth Attempt

30 minutes after third failure
After 4 failed attempts, the webhook will be marked as failed. You can manually retry failed webhooks from the Payviox Dashboard.

Success Criteria

A webhook is considered successfully delivered when your endpoint:
  • Returns HTTP status code 200
  • Responds within 30 seconds

Troubleshooting

Common Issues

Possible causes:
  • Using the wrong webhook token
  • Parsing/modifying the request body before verification
  • Incorrect HMAC algorithm (must be SHA256)
Solution: Always verify against the raw request body, before any parsing or modifications.
Possible causes:
  • Incorrect webhook URL in dashboard
  • Firewall blocking Payviox IP addresses
  • Server not responding within 30 seconds
Solution: Check your webhook URL configuration and server logs.
Possible causes:
  • Not implementing idempotency checks
  • Slow response times causing retries
Solution: Implement idempotency using session_id and order_id, and respond quickly with 200 OK.
Possible causes:
  • Processing taking too long before responding
  • Database locks or slow queries
Solution: Return 200 OK immediately and process webhooks asynchronously in a queue.

Security Checklist

Need Help?

If you’re having trouble with webhook integration:
Include your webhook attempt IDs from the dashboard when contacting support for faster resolution.