Pay In Webhook Example

Example Data

The webhook will be sent to https://api.example.com/v1/webhook?param=value
With HTTP Method POST

The payload of the webhook is as follows

{
    "schemaVersion": "1.0.1",
    "timestamp": "2024-11-29T10:05:01.530805501Z",
    "data": {
        "id": "pymt-01JDVNTTEZWNMVJYXSZEZR86G6",
        "initiatedAmount": "10000",
        "paymentAmount": "10000",
        "feeAmount": "2775",
        "currency": "IDR",
        "paymentMethod": "VIRTUAL_ACCOUNT",
        "paymentChannel": "BRI.VA",
        "paymentCode": "1308300301295957",
        "paymentCodeType": "ACCOUNT_NUMBER",
        "referenceCode": "6c7d9958-0fd9-45df-b8b5-dc8450be0ca6",
        "customerReference": "123456789",
        "customerName": "John Doe",
        "status": "SUCCESS",
        "createdTime": "2024-11-29T10:05:01.20399773Z",
        "updatedTime": "2024-11-29T10:05:01.20399773Z",
        "expirationTime": "2024-11-30T10:00:29.943368Z",
        "description": "Payment description",
        "payerAccountName": "",
        "payerAccountNumber": "",
        "payerPaymentChannel": "",
        "metadata": {},
        "errorCode": "",
        "errorMessage": ""
    }
}

Timestamp from X-Xenith-Timestamp Header is 2024-11-29T10:05:01.530805501Z

And the Webhook Signature Secret is

c238eaeb9561e104d6712f21bc0552818dcf3290a351103e4aba575df2a8c951

Concatenated String

Based on the request above the following string is produced:

POST\n/v1/webhook?param=value\n{"schemaVersion":"1.0.1","timestamp":"2024-11-29T10:05:01.530805501Z","data":{"id":"pymt-01JDVNTTEZWNMVJYXSZEZR86G6","initiatedAmount":"10000","paymentAmount":"10000","feeAmount":"2775","currency":"IDR","paymentMethod":"VIRTUAL_ACCOUNT","paymentChannel":"BRI.VA","paymentCode":"1308300301295957","paymentCodeType":"ACCOUNT_NUMBER","referenceCode":"6c7d9958-0fd9-45df-b8b5-dc8450be0ca6","customerReference":"123456789","customerName":"John Doe","status":"SUCCESS","createdTime":"2024-11-29T10:05:01.20399773Z","updatedTime":"2024-11-29T10:05:01.20399773Z","expirationTime":"2024-11-30T10:00:29.943368Z","description":"Payment description","payerAccountName":"","payerAccountNumber":"","payerPaymentChannel":"","metadata":{},"errorCode":"","errorMessage":""}}\n2024-11-29T10:05:01.530805501Z

Maintenance Webhook (Pay Ins) Example

Example Data

The webhook will be sent to https://api.example.com/v1/webhook?param=value
With HTTP Method POST

The payload of the webhook is as follows

{
    "schemaVersion": "1.0.1",
    "timestamp": "2025-10-07T08:30:25.758598987Z",
    "eventType": "maintenance.started.payins",
    "data": {
        "currency": "IDR",
        "paymentMethod": "VIRTUAL_ACCOUNT",
        "paymentChannels": [
            "MDR.VA"
        ],
        "status": "INACTIVE"
    }
}

Timestamp from X-Xenith-Timestamp Header is 2025-10-07T08:30:25.758598987Z

And the Webhook Signature Secret is

c238eaeb9561e104d6712f21bc0552818dcf3290a351103e4aba575df2a8c951

Concatenated String

Based on the request above the following string is produced:

POST\n/v1/webhook?param=value\n{"schemaVersion":"1.0.1","timestamp":"2025-10-07T08:30:25.758598987Z","eventType":"maintenance.started.payins","data":{"currency":"IDR","paymentMethod":"VIRTUAL_ACCOUNT","paymentChannels":["MDR.VA"],"status":"INACTIVE"}}\n2025-10-07T08:30:25.758598987Z

Pay Out Webhook Request Example

Example Data

The webhook will be sent to https://api.example.com/v1/webhook?param=value
With HTTP Method POST

The payload of the webhook is as follows

{
    "schemaVersion": "1.0.1",
    "timestamp": "2024-11-30T06:54:08.556274303Z",
    "data": {
        "id": "pyout-01JDX620YP41KR6TSV68DK87DQ",
        "initiatedAmount": "10000",
        "sentAmount": "10000",
        "feeAmount": "0",
        "currency": "IDR",
        "destinationPayoutChannel": "CENAIDJA",
        "destinationPayoutMethod": "BANK_TRANSFER",
        "referenceCode": "referenceCode - 1716098555",
        "customerReference": "test-customerReference-123",
        "status": "SUCCESS",
        "createdTime": "2024-11-30T00:03:18.667578Z",
        "updatedTime": "2024-11-30T06:54:08.27552654Z",
        "description": "Sending Money-1716098555",
        "errorCode": "",
        "errorMessage": ""
    }
}

Timestamp from X-Xenith-Timestamp Header is 2024-11-30T06:54:08.556274303Z

And the Webhook Signature Secret is

c238eaeb9561e104d6712f21bc0552818dcf3290a351103e4aba575df2a8c951

Maintenance Webhook (Pay Outs) Example

Example Data

The webhook will be sent to https://api.example.com/v1/webhook?param=value
With HTTP Method POST

The payload of the webhook is as follows

{
    "schemaVersion": "1.0.1",
    "timestamp": "2025-10-07T08:30:25.758598987Z",
    "eventType": "maintenance.started.payouts",
    "data": {
        "currency": "IDR",
        "destinationPayoutMethod": "BANK_TRANSFER",
        "destinationPayoutChannels": [
            "CENAIDJA", "BNIAIDJA"
        ],
        "status": "INACTIVE"
    }
}

Timestamp from X-Xenith-Timestamp Header is 2025-10-07T08:30:25.758598987Z

And the Webhook Signature Secret is

c238eaeb9561e104d6712f21bc0552818dcf3290a351103e4aba575df2a8c951

Concatenated String

Based on the request above the following string is produced:

POST\n/v1/webhook?param=value\n{"schemaVersion":"1.0.1","timestamp":"2025-10-07T08:30:25.758598987Z","eventType":"maintenance.started.payouts","data":{"currency":"IDR","destinationPayoutMethod":"BANK_TRANSFER","destinationPayoutChannels":["CENAIDJA","BNIAIDJA"],"status":"INACTIVE"}}\n2025-10-07T08:30:25.758598987Z

Code Examples

Concatenated String

Based on the request above the following string is produced:

POST\n/v1/webhook?param=value\n{"schemaVersion":"1.0.1","timestamp":"2024-11-30T06:54:08.556274303Z","data":{"id":"pyout-01JDX620YP41KR6TSV68DK87DQ","initiatedAmount":"10000","sentAmount":"10000","feeAmount":"0","currency":"IDR","destinationPayoutChannel":"CENAIDJA","destinationPayoutMethod":"BANK_TRANSFER","referenceCode":"referenceCode - 1716098555","customerReference":"test-customerReference-123","status":"SUCCESS","createdTime":"2024-11-30T00:03:18.667578Z","updatedTime":"2024-11-30T06:54:08.27552654Z","description":"Sending Money-1716098555","errorCode":"","errorMessage":""}}\n2024-11-30T06:54:08.556274303Z

Code Examples

// Example: https://go.dev/play/p/UaaPTdxKehj

package main

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/base64"
	"fmt"
)

func generateHmacSha256(data, secretKey string) string {
	// Create a new HMAC by defining the hash type and the key
	h := hmac.New(sha256.New, []byte(secretKey))
	
	// Write Data to it
	h.Write([]byte(data))
	
	// Get result and encode with base64
	sha := base64.StdEncoding.EncodeToString(h.Sum(nil))
	
	return sha
}

func main() {
	data := "Hello World"
	secretKey := "mySecretKey123"
	
	result := generateHmacSha256(data, secretKey)
	fmt.Printf("HMAC SHA256 (Base64): %s\n", result)
  
  // HMAC SHA256 (Base64): rx7xqENKKkDHPxGQqdOiZSUz0gy/Bdge6hD8LuowQ9Q=
}

// Example: https://onlinephp.io/c/d4978

<?php
function generateHmacSha256($data, $secretKey) {
    // Generate HMAC using SHA256 algorithm
    $hmac = hash_hmac('sha256', $data, $secretKey, true);
 
    // Encode the binary hash to base64
    $encodedHmac = base64_encode($hmac);
    
    return $encodedHmac;
}
 
// Example usage
$data = 'Hello World';
 
$secretKey = "mySecretKey123";
 
$result = generateHmacSha256($data, $secretKey);
echo "HMAC SHA256 (Base64): " . $result;

// HMAC SHA256 (Base64): rx7xqENKKkDHPxGQqdOiZSUz0gy/Bdge6hD8LuowQ9Q=

Important Note on JSON Field Ordering

⚠️
Critical for Signature Verification

When receiving webhooks and verifying signatures, please note:

The order of JSON fields in the webhook payload is not guaranteed - Fields may appear in a different order between webhook deliveries or retries
Always use the exact payload as received - Do not parse and reconstruct the JSON object for signature verification
Minify the raw JSON string without reordering - Remove whitespace/formatting but maintain the exact field order from the received payload
Do not parse and re-serialize - Parsing to an object and converting back to JSON may reorder fields and cause signature verification to fail