Whenever a payment event occurs (paid, expired, cancelled, refunded), Quickei sends an HTTP POST request to your configured callback_url with a JSON payload. The request includes an HMAC-SHA256 signature for verification.
Every webhook includes an X-Quickei-Signature header. Always verify the signature before processing the event.
PHP
Python
Node.js
$payload = file_get_contents('php://input');$signature = $_SERVER['HTTP_X_QUICKEI_SIGNATURE'] ?? '';$expected = 'sha256=' . hash_hmac( 'sha256', $payload, $client_secret // Your API client secret);if (!hash_equals($expected, $signature)) { http_response_code(403); exit('Invalid signature');}// Signature valid — process the event$event = json_decode($payload, true);switch ($event['event']) { case 'pos.order.paid': // Update order, send confirmation email, etc. break; case 'pos.order.refunded': // Process refund in your system break;}http_response_code(200);
import hmacimport hashlibimport jsondef handle_webhook(request): payload = request.body signature = request.headers.get('X-Quickei-Signature', '') expected = 'sha256=' + hmac.new( client_secret.encode(), payload, hashlib.sha256 ).hexdigest() if not hmac.compare_digest(expected, signature): return HttpResponse(status=403) event = json.loads(payload) if event['event'] == 'pos.order.paid': # Update order in your system pass return HttpResponse(status=200)
const crypto = require('crypto');app.post('/webhook', (req, res) => { const payload = JSON.stringify(req.body); const signature = req.headers['x-quickei-signature'] || ''; const expected = 'sha256=' + crypto .createHmac('sha256', clientSecret) .update(payload) .digest('hex'); if (signature !== expected) { return res.status(403).send('Invalid signature'); } // Signature valid — process the event const { event, data } = req.body; if (event === 'pos.order.paid') { // Update order in your system } res.sendStatus(200);});
