Never skip signature verification. This is your primary defense against fraudulent webhooks.
Paymento only sends webhooks to HTTPS URLs to ensure data security in transit.
Your webhook endpoint should respond with a 200 OK status code within 5 seconds. Do heavy processing asynchronously.
Webhooks might be delivered more than once. Use the event.id to track processed events and avoid duplicate processing.
Keep detailed logs of all webhook requests for debugging and auditing.
Use the "Test Webhook" feature in the Paymento dashboard to verify your endpoint is working correctly before going live.
Never hardcode your secret key. Use environment variables or secure configuration management.
If your endpoint fails, return appropriate HTTP status codes:
200 - Successfully received and processed
401 - Invalid signature
500 - Internal server error (Paymento will retry)
Last updated
