AEVIONTrust · IP · Globus
DemoAuthQRightQSignBureauPlanetAwardsBankChessPricingAPI
← Payments Rail

Webhooks

Real-time event delivery for every payment lifecycle state. HMAC-SHA256 signed payloads, exponential-backoff retries, and full audit log.

Endpoints
0/0
Delivered 24h
0
Failed 24h
0
Signing
HMAC-SHA256
New webhook endpoint
Endpoints
Register your first endpoint above. We'll generate an HMAC secret used to sign every payload — verify on your side using the snippet below.
Verify the signature
// Node.js verification — matches the signature attached to test deliveries
import { createHmac, timingSafeEqual } from "node:crypto";

export function verify(rawBody, headers, secret) {
  const ts = headers["x-aevion-timestamp"];
  const sig = headers["x-aevion-signature"];
  if (!ts || !sig) return false;

  // Reject replays older than 5 minutes
  if (Math.abs(Date.now() - Number(ts)) > 5 * 60 * 1000) return false;

  const signedBody = `${ts}.${rawBody}`;
  const expected = createHmac("sha256", secret)
    .update(signedBody)
    .digest("hex");

  const a = Buffer.from(expected, "hex");
  const b = Buffer.from(sig, "hex");
  return a.length === b.length && timingSafeEqual(a, b);
}