Webhook Handling Patterns

Webhooks are the authoritative event stream for card activity and master-account ledger movements.

Delivery Contract #

Payload schema:

{
  "event": "card_transaction",
  "data": {
    "id": "5b2fa934-1f1d-4b71-8d5a-a3e2f61ac1af",
    "cardId": "0b1e9c6e-5d87-4f90-8c4d-0ad6f4ce4be5",
    "transactionAmount": "12.34",
    "transactionCurrency": "USD",
    "type": "authorization",
    "referenceId": "c8de3ebf-5b2d-4020-a7bb-65f88c3a37ce",
    "timestamp": "2025-06-02T11:24:12Z"
  }
}

Recommended Ingestion Flow #

1. Verify x-signature before parsing payload.
2. Persist raw payload keyed by data.id.
3. Handle duplicates idempotently.
4. Return 204 No Content quickly.
5. Process business logic asynchronously.

Event Types #

Join events by referenceId for full flow reconciliation.

Replay Strategy #

If your endpoint was unavailable, replay failed deliveries:

curl -X POST "$PAYCA_BASE_URL/v1/webhooks/resend?fromDate=2025-06-01T00:00:00Z" \
  -H "x-client-id: $PAYCA_CLIENT_ID" \
  -H "x-client-secret: $PAYCA_CLIENT_SECRET"

Recommendations:

• Replay in chronological order.
• Rate-limit replay processing to avoid 429.
• Monitor replay completion and remaining failures.
• Use response counters (account, card, total) to validate scope.

Client-Side Storage Recommendations #

Store at least these fields from every webhook:

• Envelope: event, receive timestamp, HTTP headers (x-request-id, x-idempotency-key).
• Data object: id, referenceId, type, subtype, amount, currency, cardId, accountId (when present).

This is sufficient for replay, audit, and financial reconciliation.

Alerting & Security #

• Alert when webhook failures spike or replay backlog grows.
• Track end-to-end webhook latency.
• Serve webhook endpoints over HTTPS (TLS 1.2+).
• Rotate secrets regularly and support overlap during key rotation.

Continue with Webhook Balance Effects for event-by-event balance impact.