Webhooks
Receive real-time notifications when events occur in your Payload account
Webhooks enable real-time event notifications by sending HTTP POST requests to your server when specific events occur. Instead of polling the Payload API to check for changes, webhooks push event data to your application instantly, allowing you to build responsive, event-driven integrations that react immediately to activity in your account.
Common use cases
- Automatically fulfill orders and send receipts when payments complete
- Send email or SMS notifications for transaction events
- Sync transaction data to accounting and external systems
- Monitor business metrics and detect anomalies in real-time
- Trigger marketing campaigns based on customer activity
- Update databases and maintain audit trails of all activity
Webhooks are the foundation of event-driven architectures. Use them to automate workflows, synchronize data across systems, send notifications, and build integrations that respond instantly to events without constant polling.
Quick Start Guide
Get started with webhooks in three steps: create a webhook, implement a handler, and test your integration.
Create a Webhook
Create a webhook by specifying a trigger event and your endpoint URL.
This creates a webhook that monitors for the processed trigger and posts to your URL when
matching events occur.
Implement a Handler
Create an endpoint to receive webhook POST requests.
Your webhook handler should:
- Accept POST requests at your configured URL
- Parse the JSON payload
- Return a 200 status code within 30 seconds
- Process events asynchronously for reliability
Test Your Webhook
Trigger an event to test your webhook:
- Trigger Event: Create a transaction or perform an action that matches your webhook trigger
- Verify Receipt: Confirm your handler receives the webhook POST request
- Check Logs: Review webhook logs to verify successful delivery
- Validate Data: Ensure the payload contains expected event details
Development Testing: Use tools like ngrok to expose local development servers to receive webhooks during development. This allows you to test webhook handlers before deploying to production.
Webhook Triggers
Webhooks support various triggers covering transaction events, payment activity, and payment method changes.
Transaction Lifecycle Events
| Trigger | When It Fires | Common Use Cases |
|---|---|---|
payment | Payment transaction created | Log all payment attempts, fraud monitoring |
processed | Transaction completed successfully | Fulfill orders, send receipts, update inventory |
authorized | Payment authorized (not captured) | Reserve inventory, verify orders before capture |
decline | Payment declined by processor/bank | Notify customer, retry payment, update order status |
adjusted | Transaction amount adjusted | Update accounting, notify customer of changes |
refund | Refund transaction created | Update inventory, notify customer, reverse charges |
void | Transaction voided | Cancel order, release inventory, notify customer |
reject | Transaction rejected | Handle NSF, invalid accounts, retry payment |
Payout and Funding Events
| Trigger | When It Fires | Common Use Cases |
|---|---|---|
payout | Payout transaction created | Track outgoing payments, notify recipients |
deposit | Deposit transaction created | Monitor account funding, track cash flow |
withdraw | Withdraw transaction created | Track outgoing funds, monitor cash outflows |
Recurring Payment Events
| Trigger | When It Fires | Common Use Cases |
|---|---|---|
automatic_payment | Scheduled payment triggered | Monitor subscription billing, handle failures |
Account and Link Status Events
| Trigger | When It Fires | Common Use Cases |
|---|---|---|
intent:status | Intent status changes (coming soon) | Track intent lifecycle, monitor setup |
payment_link:status | Payment link status changes | Monitor link usage, track completion |
processing_status | Any processing account status change | Specifies when account becomes active or goes on hold |
Transaction Operation Events
| Trigger | When It Fires | Common Use Cases |
|---|---|---|
transaction:operation | Transaction operation triggered | Monitor batch operations, track processing status |
transaction:operation:clear | Transaction operation cleared | Track completion, handle post-operation tasks |
For specific transaction webhook documentation, see:
- Transaction Webhooks - Payment and payout event monitoring
Trigger Selection: Choose specific triggers that match your needs rather than generic triggers that fire frequently. Specific triggers reduce webhook volume, simplify handlers, and improve reliability.
Webhook Payload Structure
All webhooks send a consistent payload structure containing event details.
Standard Webhook Payload
{
"object": "webhook_trigger",
"event_id": "evt_XYZ789",
"trigger": "processed",
"triggered_on": {
"id": "txn_ABC123",
"object": "transaction",
"value": "processed"
}
}Payload Fields
- object: Always
webhook_triggerfor webhook events - event_id: Unique identifier for this webhook event that remains constant across retries. Use this for idempotency to prevent processing the same event multiple times.
- trigger: The event type that triggered this webhook
- triggered_on: Details about the object that caused the trigger
- id: Unique identifier of the triggering object
- object: Type of object (e.g.,
transaction,customer) - value: Current status or state of the object
Retrieving Full Object Details
The webhook payload includes minimal object information. To get complete details:
Webhook Security
Secure your webhook endpoints to ensure requests are genuinely from Payload and haven't been tampered with.
Signature Verification
Verify webhook authenticity using HMAC-SHA256 signatures. Each webhook request includes an
X-Payload-Signature header containing a signature of the payload. Implement
Signature Verification to validate that webhook requests
originate from Payload and haven't been tampered with, preventing unauthorized requests from
triggering actions in your system.
OAuth Authentication
For endpoints requiring OAuth 2.0 authentication, configure OAuth parameters when creating webhooks. Payload automatically obtains and includes access tokens in webhook requests to protected endpoints. Learn how to set up OAuth Authentication for enterprise-grade security on your webhook endpoints.
Security Best Practices
Always use HTTPS for webhook URLs in production, verify signatures to prevent unauthorized access, and validate payloads before processing. Use cryptographically secure webhook secrets, rotate them periodically for security, and log verification failures for monitoring. Implement rate limiting to protect endpoints from abuse, and ensure handlers validate the webhook structure and content before taking action.
Production Security: Always implement signature verification for production webhooks. Without verification, anyone who discovers your webhook URL could send fake requests, potentially triggering unauthorized actions in your system.
Webhook Reliability and Retries
Payload ensures reliable webhook delivery through automatic retries and comprehensive logging.
Automatic Retries
Webhooks are automatically retried when delivery fails:
- Retry Triggers: HTTP errors (4xx, 5xx), timeouts, network failures
- Max Retries: Configurable when creating webhooks (default: 0)
- Success Condition: 2xx HTTP response stops retries
Configuring Retries
Idempotency
Since webhooks may be delivered multiple times, implement idempotent handlers:
Use the event_id field from the webhook payload to detect and skip duplicate deliveries. The
event_id remains constant across all retry attempts for the same event.
Idempotency Critical: Always implement idempotency in webhook handlers. Due to retries and network issues, webhooks may be delivered multiple times. Idempotent handlers ensure duplicate deliveries don't cause duplicate actions or data corruption.
Monitoring and Debugging
Monitor webhook delivery and debug issues using webhook logs.
Viewing Webhook Logs
What Logs Show
Webhook logs include:
- Delivery timestamps
- HTTP response status codes
- Triggered events
- Objects that triggered webhooks
- Retry attempts
- Destination URLs
Common Status Codes
| Status | Meaning | Next Steps |
|---|---|---|
| 200 | Success | Webhook processed successfully |
| 401 | Unauthorized | Check signature verification or OAuth |
| 404 | Not Found | Verify webhook URL is correct |
| 500 | Server Error | Check application logs, fix bugs |
| Timeout | No Response | Optimize handler, return 200 faster |
For comprehensive debugging, see:
- Debugging Webhooks Guide - Complete troubleshooting reference
Managing Webhooks
List, update, and delete webhooks using the Payload API.
Listing Webhooks
Updating Webhooks
Deleting Webhooks
Webhook changes take effect immediately for new events. In-flight deliveries may still use old configurations.
Testing Webhooks
Test webhook implementations before production deployment.
Local Development Testing
Using ngrok:
# Expose local server to receive webhooks
ngrok http 3000
# Use the HTTPS URL for webhook creation
# https://abc123.ngrok.io/webhooks/handlerUsing webhook.site:
- Visit https://webhook.site (opens in a new tab)
- Copy the unique URL
- Create webhook with that URL
- Trigger events and inspect payloads
Testing Checklist
Test these scenarios before production:
- Webhook handler receives POST requests correctly
- Handler returns 200 status within 30 seconds
- Signature verification works (if implemented)
- OAuth authentication works (if implemented)
- Invalid signatures are rejected properly
- Handler is idempotent (handles duplicates)
- Error handling returns appropriate status codes
- Handler scales under load
- Logs capture important information
- Monitoring alerts trigger correctly
Test Mode
Use Payload test mode to test webhooks safely:
- Test transactions trigger test webhooks
- No impact on production data
- Same webhook behavior as production
- Verify implementation before going live
Test Thoroughly: Comprehensive testing prevents production issues. Test successful delivery, failure scenarios, retry behavior, signature verification, and load handling before deploying webhook handlers to production.
Best Practices
Follow these best practices to build reliable, secure webhook integrations.
- Return 200 Immediately: Acknowledge webhooks quickly, process asynchronously
- Implement Idempotency: Handle duplicate deliveries safely
- Always Use HTTPS: Webhook URLs must be HTTPS in production
- Verify Signatures: Required for production webhook security
- Validate Payloads: Check webhook structure before processing
Schema Reference
Webhook configuration fields for creating and managing webhooks.
Webhook Configuration
triggerbank_account_reject, reject, refund, void, chargeback, chargeback_reversal, automatic_payment, payment, processed, authorized, adjusted, decline, processing_status, deposit, payment_activation:status, payment_link:status, reversal, credit, transaction:operation, transaction:operation:clear, payout, withdrawurlretriessender_secretoauth_paramsauth_urlclient_idclient_secretgrant_typeresourcescopeNext Steps
Secure webhooks, monitor delivery, and build event-driven integrations
Secure Your Webhooks
Implement Signature Verification with HMAC-SHA256 to verify webhook authenticity, configure OAuth Authentication for protected endpoints requiring enterprise-grade security, and review the Webhook API Reference for complete security options.
Monitor and Debug Webhooks
Troubleshoot delivery issues with Debugging Webhooks to identify and resolve failed webhook deliveries, monitor webhook history to track event processing, and implement retry logic to handle temporary failures gracefully.
Monitor Specific Events
Subscribe to Transaction Webhooks to monitor payment and payout events in real-time, track invoice lifecycle events for automated billing workflows, and receive notifications for account status changes and entity verification updates.
Build Event-Driven Integrations
Use webhooks to automate order fulfillment when payments complete, sync transaction data to external systems and accounting platforms, trigger customer notifications via email or SMS, and build responsive systems that react instantly to events without polling.
Related articles
- Transaction Webhooks - Payment event monitoring
- Signature Verification - Webhook security
- Debugging Webhooks - Troubleshooting guide
- OAuth Authentication - OAuth webhooks
- Webhooks API Reference - Webhook object reference