Webhook

Craftgate regularly transmits the results and information of the following transactions to a URL that you define from merchant panel. Thus, you can follow the results of all your payment transactions made through Craftgate, even if the payment flow is interrupted, and you can plan your flows according to the payment results.

  1. Payment Transaction Result: The result of the payment transaction, whether successful or unsuccessful, is transmitted to the webhook address.
  2. 3D Payment Transaction Result: The result of the 3D Payment transaction, whether successful or unsuccessful, is transmitted to the webhook address.
  3. 3D Secure Verification Result: The result of the 3D Secure verification process, whether successful or unsuccessful, is transmitted to the webhook address.
  4. Payment Transaction Result in uses of Payment Form: The result of the payment transaction made using the payment form, whether successful or unsuccessful, is transmitted to the webhook address you provided.

In the 3DS payment flow, your requests to the callbackUrl address are made through the browser. Requests to the callbackUrl address may not be met if the end user stops the flow or problems occur in the user’s internet. Therefore, our webhook services can be especially useful for tracking 3DS payments and detecting user behavior.

Address Definition to Receive Webhook Notification

In order to activate the Webhook notification, the Merchant Webhook URL field under Craftgate panel Settings -> Merchant Settings-> General Settings must be filled in. When you accept the POST requests as the webhook URL and enter a URL that returns 2xx from the HTTP codes, Craftgate will send the relevant data after the payments.

Webhook Settings

Request Forwarded to the Webhook Address

Payment, 3D payment and 3D secure verification results are sent to the webhook address you specified in JSON format via POST http method.

While 3DS payment

  • If processing POS uses 3D Model which means you should call 3DS complete after 3DS verification, THREEDS_VERIFY event type will be sent after 3DS verification and API_AUTH event type after 3DS complete.
  • If processing POS uses 3D Pay Model, only API_VERIFY_AND_AUTH event will be sent instead of THREEDS_VERIFY andAPI_AUTH event type.
  • If you are using checkout form, instead of other events, only CHECKOUTFORM_AUTH will be sent.

Request Parameters

Parameter Name Type Description
eventTime date The date the request is created
eventType string Indicates for which operation the request is sent. Values can be: THREEDS_VERIFY, API_AUTH, API_VERIFY_AND_AUTH and CHECKOUTFORM_AUTH
status string The status information of the operation. Values can be: SUCCESS, FAILURE
payloadId string ID value of the payment or token information of the Payment Form

Confirming that the Request Forwarded to the Webhook Address is Sent by Craftgate

In order to confirm that the requests received on your webhook URL are sent from the Craftgate system, the x-cg-signature sent between the HTTP headers should be checked. The x-cg-signature is calculated by combining as String the fields sent in the request and taking the Hash with the HmacSHA256 algorithm.

For example, when eventType+eventTime+status+payloadId information is combined as a String for the payment with ID 2150001, which was successfully received on 2022-01-01T09:30:32.123456 using API integration, API_AUTH2022-01-01T09:30:32.123456SUCCESS2150001 results.

When you hash this with the Merchant Webhook Key value in the Craftgate Merchant Panel Settings section and you get the Base64 encoded version, the result equals to the x-cg-signature.