Webhook event types and the signature scheme are still being finalized.
Expect the signature to share the HMAC canonicalization scheme used for
server-to-server requests. 🚧
Event types
| Event | When it fires |
|---|---|
payment_intent.captured | Provider confirmed payout; merchant has been paid |
payment_intent.failed | Final failure; intent will not be retried |
payment_intent.refunded | Refund completed end-to-end |
Delivery
- Webhooks are
POSTed as JSON to your registered endpoint. - We retry with exponential backoff on non-2xx responses for up to 24 hours.
- Order is not guaranteed. Treat your handler as idempotent — keyed on
event_id.
Signature verification
Each webhook carries anX-Zennopay-Signature header. Verify it by
re-computing HMAC-SHA256 over the canonical request (see
Authentication) using the webhook signing secret issued
during onboarding (distinct from your API signing secret).