Xellion Logo Webhook API Docs
Overview Payload Statuses

Webhook Notifications

Listen for asynchronous payment updates. Once a transaction reaches a final state, a JSON payload is sent via a POST request to your webhook URL.

POST Request Application/JSON Event Triggers Secret Key Verification

Quick Summary

  • Method: POST
  • Content type: application/json
  • Fields: userId, orderId, amount, status, and secretKey
  • Supported scenarios: Deposit & Withdrawal Updates
  • Use secretKey to verify webhook authenticity on your end

Webhook Payload

This is the JSON data structure sent to your selected callback URL when a status changes.

Field Type Description
userId String The unique identifier of your user, as sent in your original API request.
orderId String The unique order reference you passed when creating the payment or withdrawal request.
amount Number The nominal value of the transaction.
status String The transaction outcome enum. Possible values: PROCESSING, SUCCESS, FAILED.
secretKey String The secret key you provided in your original API request. Use this to verify the webhook request is valid and authentic. Compare this value with the secretKey you sent during payment/withdrawal creation.
Make sure your webhook listener responds with an HTTP 200 OK status code to acknowledge the receipt of the payload.

Sample JSON Payload

Here is an example of what your server will receive exactly:

{
  "userId": "1234",
  "orderId": "5943283783228437583",
  "amount": 100,
  "status": "FAILED",
  "secretKey": "32435j4kh53kj45"
}

🔐 Webhook Verification

How to verify that the webhook request is legitimate and not forged.

Every webhook response includes the secretKey that you originally sent in your deposit or withdrawal API request. To verify the webhook:

  1. Store the secretKey you sent during payment/withdrawal creation on your server.
  2. When you receive a webhook, compare the secretKey in the payload with the one stored on your server.
  3. If they match, the webhook is valid. If not, reject the request.
// Example: Verify webhook on your server (Node.js)
app.post('/webhook', (req, res) => {
  const { userId, orderId, amount, status, secretKey } = req.body;

  // Compare with the secretKey you stored during payment creation
  const storedSecretKey = getStoredSecretKey(orderId); // your DB lookup

  if (secretKey !== storedSecretKey) {
    return res.status(401).json({ error: 'Invalid webhook signature' });
  }

  // Webhook is valid — process the payment update
  console.log(`Order ${orderId} status: ${status}`);
  res.status(200).json({ received: true });
});

Transaction Statuses

The status property indicates the latest state of the payment. Handle these states programmatically.

PROCESSING
PROCESSING The transaction is still being processed and hasn't reached a final state yet.
SUCCESS
SUCCESS The funds were transferred or the payment was received by the system.
FAILED
FAILED The transaction could not be completed, or was rejected by the provider.
Xellion PSP — Webhook API documentation page. Designed for merchant integration and testing.