Best Practices

1. Always Verify Signatures

Never skip signature verification. This is your primary defense against fraudulent webhooks.

2. Use HTTPS Endpoints Only

Paymento only sends webhooks to HTTPS URLs to ensure data security in transit.

3. Respond Quickly

Your webhook endpoint should respond with a 200 OK status code within 5 seconds. Do heavy processing asynchronously.

4. Handle Idempotency

Webhooks might be delivered more than once. Use the event.id to track processed events and avoid duplicate processing.

5. Log Everything

Keep detailed logs of all webhook requests for debugging and auditing.

6. Test Your Endpoint

Use the "Test Webhook" feature in the Paymento dashboard to verify your endpoint is working correctly before going live.

7. Use Environment Variables

Never hardcode your secret key. Use environment variables or secure configuration management.

8. Handle Errors Gracefully

If your endpoint fails, return appropriate HTTP status codes:

  • 200 - Successfully received and processed

  • 401 - Invalid signature

  • 500 - Internal server error (Paymento will retry)

PreviousTelegram Metadata FieldsNextTroubleshooting

Last updated