Webhook

Webhook allows you to receive real-time asynchronous notifications from SUNBAY when transaction status changes. Through Webhook, you can update order status promptly and trigger business processes without frequent polling of query interfaces.

Overview

When a transaction status changes to any of the following states, SUNBAY will send a Webhook notification to your configured notifyUrl:

SUCCESS - Transaction successful
FAIL - Transaction failed
CLOSED - Transaction closed

Supported transaction types include:

SALE (Sale)
AUTH (Pre-authorization)
POST_AUTH (Pre-authorization completion)
FORCED_AUTH (Forced authorization)
INCREMENTAL (Incremental authorization)
REFUND (Refund)
VOID (Void)

And all other transaction scenarios.

Request Specification

Basic Information

Property	Description
Request Method	`POST`
Request URL	The `notifyUrl` you provided when initiating the transaction
Content-Type	`application/json; charset=utf-8`
Connection Timeout	5 seconds
Read Timeout	10 seconds

Response Requirements

Your service needs to return an HTTP 200 status code to indicate successful receipt. Any non-200 status code (including 4xx, 5xx) will be considered a failure and trigger the retry mechanism.

Security Verification

Each Webhook request includes the following headers for verifying request origin and preventing replay attacks:

Header	Description
`X-Client-Request-Id`	Unique request ID (UUID format), used for log tracing and idempotent processing
`X-Timestamp`	Request timestamp (milliseconds), recommended to verify timeliness (e.g., valid within 5 minutes) to prevent replay attacks
`X-Signature`	Request signature (HMAC-SHA256), used to verify request integrity

Signature Verification

The signature is generated using the HMAC-SHA256 algorithm:

Signature Key: Webhook signing secret configured in SUNBAY Copilot application details
Signature Content: Raw request body JSON string (maintain field order and format consistency)
Signature Format: Hexadecimal lowercase string

Notification Content

The Webhook request body is in JSON format and contains complete transaction information.

All amount fields are integers in the smallest currency unit (e.g., cents for USD, yen for JPY).

Field Description

To ensure backward compatibility, we may add new fields in future versions. Please ensure your parsing logic can ignore unknown fields to avoid parsing failures due to new fields.

Field	Type	Description
`transactionId`	string	SUNBAY transaction ID
`transactionRequestId`	string	Transaction request ID, used to correlate requests
`referenceOrderId`	string	Your business order number
`transactionStatus`	string	Transaction status: `S` success, `F` failed, `C` closed
`transactionType`	string	Transaction type, such as `SALE`, `AUTH`, `REFUND`, etc.
`createTime`	string	Transaction creation time. Format: yyyy-MM-DDTHH:mm:ss+TIMEZONE (ISO 8601) Format: date-time Example: “2023-11-19T10:30:00+08:00”
`completeTime`	string	Transaction completion time. Format: yyyy-MM-DDTHH:mm:ss+TIMEZONE (ISO 8601) Format: date-time Example: “2023-11-19T10:32:00+08:00”
`priceCurrency`	string	Currency codes (ISO 4217), such as `USD`, `CNY`
`orderAmount`	integer	Order amount (smallest currency unit)
`transactionAmount`	integer	Actual transaction amount (smallest currency unit)
`taxAmount`	integer	Tax amount (smallest currency unit)
`surchargeAmount`	integer	Surcharge amount (smallest currency unit)
`tipAmount`	integer	Tip amount (smallest currency unit)
`cashbackAmount`	integer	Cashback amount (smallest currency unit)
`maskedPan`	string	Masked card number, e.g., `411111******1111`
`cardNetworkType`	string	Card network type, such as `VISA`, `MASTERCARD`
`paymentMethod`	string	Payment method, such as `CARD`, `WALLET`
`subPaymentMethod`	string	Sub payment method
`batchNo`	integer	Batch number
`voucherNo`	string	Voucher number
`stan`	string	System trace audit number
`rrn`	string	Retrieval reference number
`authCode`	string	Authorization code
`entryMode`	string	Entry mode, such as `SWIPE`, `INSERT`, `TAP`
`authenticationMethod`	string	Authentication method, such as `PIN`, `SIGN`
`transactionResultCode`	string	Transaction result code
`transactionResultMsg`	string	Transaction result description
`terminalSn`	string	Terminal serial number
`description`	string	Payment description
`attach`	string	Additional data (pass-through field)

Example

A typical Webhook request example:


{
  "transactionId": "T202512160001",
  "transactionRequestId": "REQ202512160001",
  "referenceOrderId": "ORDER_10001",
  "transactionStatus": "S",
  "transactionType": "SALE",
  "createTime": "2023-11-19T10:30:00+08:00",
  "completeTime": "2023-11-19T10:30:10+08:00",
  "priceCurrency": "USD",
  "orderAmount": 1000,
  "transactionAmount": 950,
  "taxAmount": 50,
  "surchargeAmount": 0,
  "tipAmount": 0,
  "cashbackAmount": 0,
  "maskedPan": "411111******1111",
  "cardNetworkType": "VISA",
  "paymentMethod": "CARD",
  "subPaymentMethod": "CREDIT",
  "batchNo": 1,
  "voucherNo": "000123",
  "stan": "000456",
  "rrn": "123456789012",
  "authCode": "A12345",
  "entryMode": "CHIP",
  "authenticationMethod": "PIN",
  "transactionResultCode": "00",
  "transactionResultMsg": "Approved",
  "terminalSn": "SN1234567890",
  "description": "Payment for order ORDER_10001",
  "attach": "custom_data_example"
}

Verify Signature

To ensure the request is from SUNBAY, you need to verify the X-Signature header.

Verification Steps

Get the raw request body (JSON string)
Use your Webhook signing secret to perform HMAC-SHA256 signature on the request body
Convert the calculation result to a hexadecimal lowercase string
Compare with the X-Signature header

Code Examples

Below are complete examples of receiving and verifying Webhook signatures:

Java


import org.springframework.web.bind.annotation.*;
import org.springframework.http.ResponseEntity;
import org.springframework.http.HttpStatus;
import javax.servlet.http.HttpServletRequest;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.io.BufferedReader;
import java.nio.charset.StandardCharsets;
import java.util.Map;
 
@RestController
@RequestMapping("/webhook")
public class WebhookController {
    
    // Signing secret obtained from SUNBAY Copilot application details
    private static final String WEBHOOK_SECRET = "your_webhook_secret_key";
    
    @PostMapping("/notify")
    public ResponseEntity<Map<String, String>> handleWebhook(HttpServletRequest request) {
        try {
            // 1. Get request headers
            String signature = request.getHeader("X-Signature");
            String requestId = request.getHeader("X-Client-Request-Id");
            String timestamp = request.getHeader("X-Timestamp");
            
            // 2. Read raw request body (do not deserialize)
            String payload = getRequestBody(request);
            
            // 3. Verify signature
            if (!verifySignature(payload, signature, WEBHOOK_SECRET)) {
                return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
                    .body(Map.of("code", "INVALID_SIGNATURE", "message", "Signature verification failed"));
            }
            
            // 4. Verify timeliness (optional, prevent replay attacks)
            if (!verifyTimestamp(timestamp)) {
                return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
                    .body(Map.of("code", "EXPIRED", "message", "Request expired"));
            }
            
            // 5. Parse request body and process business logic
            WebhookNotifyRequest notifyRequest = JSON.parseObject(payload, WebhookNotifyRequest.class);
            processWebhook(notifyRequest, requestId);
            
            // 6. Return success response
            return ResponseEntity.ok(Map.of("code", "SUCCESS", "message", "Received"));
            
        } catch (Exception e) {
            log.error("Failed to process webhook", e);
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
                .body(Map.of("code", "ERROR", "message", "Internal error"));
        }
    }
    
    /**
     * Read raw request body
     */
    private String getRequestBody(HttpServletRequest request) throws Exception {
        StringBuilder sb = new StringBuilder();
        try (BufferedReader reader = request.getReader()) {
            String line;
            while ((line = reader.readLine()) != null) {
                sb.append(line);
            }
        }
        return sb.toString();
    }
    
    /**
     * Verify signature
     */
    private boolean verifySignature(String payload, String signature, String secret) {
        try {
            Mac mac = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKeySpec = new SecretKeySpec(
                secret.getBytes(StandardCharsets.UTF_8), 
                "HmacSHA256"
            );
            mac.init(secretKeySpec);
            
            byte[] hash = mac.doFinal(payload.getBytes(StandardCharsets.UTF_8));
            String expectedSignature = bytesToHex(hash);
            
            return expectedSignature.equalsIgnoreCase(signature);
        } catch (Exception e) {
            log.error("Signature verification error", e);
            return false;
        }
    }
    
    /**
     * Convert byte array to hexadecimal string
     */
    private String bytesToHex(byte[] bytes) {
        StringBuilder result = new StringBuilder();
        for (byte b : bytes) {
            result.append(String.format("%02x", b));
        }
        return result.toString();
    }
    
    /**
     * Verify timeliness (optional)
     */
    private boolean verifyTimestamp(String timestamp) {
        try {
            long requestTime = Long.parseLong(timestamp);
            long currentTime = System.currentTimeMillis();
            // Only accept requests within 5 minutes
            return Math.abs(currentTime - requestTime) <= 5 * 60 * 1000;
        } catch (Exception e) {
            return false;
        }
    }
    
    /**
     * Process business logic (idempotent processing)
     */
    private void processWebhook(WebhookNotifyRequest request, String requestId) {
        // Check if already processed (idempotent)
        if (isAlreadyProcessed(request.getTransactionId())) {
            log.info("Transaction already processed: {}", request.getTransactionId());
            return;
        }
        
        // Execute business logic
        updateOrderStatus(request);
        
        // Mark as processed
        markAsProcessed(request.getTransactionId());
    }
}

Node.js


const express = require('express');
const crypto = require('crypto');
 
const app = express();
const WEBHOOK_SECRET = 'your_webhook_secret_key';
 
// Use raw body parser
app.use(express.json({
  verify: (req, res, buf) => {
    // Save raw request body for signature verification
    req.rawBody = buf.toString('utf8');
  }
}));
 
app.post('/webhook/notify', async (req, res) => {
  try {
    // 1. Get request headers
    const signature = req.headers['x-signature'];
    const requestId = req.headers['x-client-request-id'];
    const timestamp = req.headers['x-timestamp'];
    
    // 2. Get raw request body
    const payload = req.rawBody;
    
    // 3. Verify signature
    if (!verifySignature(payload, signature, WEBHOOK_SECRET)) {
      return res.status(401).json({
        code: 'INVALID_SIGNATURE',
        message: 'Signature verification failed'
      });
    }
    
    // 4. Verify timeliness (optional)
    if (!verifyTimestamp(timestamp)) {
      return res.status(401).json({
        code: 'EXPIRED',
        message: 'Request expired'
      });
    }
    
    // 5. Process business logic
    const notifyRequest = req.body;
    await processWebhook(notifyRequest, requestId);
    
    // 6. Return success response
    res.json({
      code: 'SUCCESS',
      message: 'Received'
    });
    
  } catch (error) {
    console.error('Failed to process webhook:', error);
    res.status(500).json({
      code: 'ERROR',
      message: 'Internal error'
    });
  }
});
 
/**
 * Verify signature
 */
function verifySignature(payload, signature, secret) {
  try {
    const hmac = crypto.createHmac('sha256', secret);
    hmac.update(payload, 'utf8');
    const expectedSignature = hmac.digest('hex');
    
    return expectedSignature.toLowerCase() === signature.toLowerCase();
  } catch (error) {
    console.error('Signature verification error:', error);
    return false;
  }
}
 
/**
 * Verify timeliness (optional)
 */
function verifyTimestamp(timestamp) {
  try {
    const requestTime = parseInt(timestamp);
    const currentTime = Date.now();
    // Only accept requests within 5 minutes
    return Math.abs(currentTime - requestTime) <= 5 * 60 * 1000;
  } catch (error) {
    return false;
  }
}
 
/**
 * Process business logic (idempotent processing)
 */
async function processWebhook(request, requestId) {
  // Check if already processed (idempotent)
  if (await isAlreadyProcessed(request.transactionId)) {
    console.log(`Transaction already processed: ${request.transactionId}`);
    return;
  }
  
  // Execute business logic
  await updateOrderStatus(request);
  
  // Mark as processed
  await markAsProcessed(request.transactionId);
}
 
app.listen(3000, () => {
  console.log('Webhook server listening on port 3000');
});

Go


package main
 
import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "encoding/json"
    "io"
    "log"
    "net/http"
    "strconv"
    "time"
)
 
const WEBHOOK_SECRET = "your_webhook_secret_key"
 
type WebhookNotifyRequest struct {
    TransactionID        string `json:"transactionId"`
    TransactionRequestID string `json:"transactionRequestId"`
    ReferenceOrderID     string `json:"referenceOrderId"`
    TransactionStatus    string `json:"transactionStatus"`
    // ... other fields
}
 
type Response struct {
    Code    string `json:"code"`
    Message string `json:"message"`
}
 
func handleWebhook(w http.ResponseWriter, r *http.Request) {
    // 1. Get request headers
    signature := r.Header.Get("X-Signature")
    requestID := r.Header.Get("X-Client-Request-Id")
    timestamp := r.Header.Get("X-Timestamp")
    
    // 2. Read raw request body (do not deserialize)
    payload, err := io.ReadAll(r.Body)
    if err != nil {
        respondError(w, "ERROR", "Failed to read request body")
        return
    }
    defer r.Body.Close()
    
    // 3. Verify signature
    if !verifySignature(string(payload), signature, WEBHOOK_SECRET) {
        w.WriteHeader(http.StatusUnauthorized)
        respondError(w, "INVALID_SIGNATURE", "Signature verification failed")
        return
    }
    
    // 4. Verify timeliness (optional)
    if !verifyTimestamp(timestamp) {
        w.WriteHeader(http.StatusUnauthorized)
        respondError(w, "EXPIRED", "Request expired")
        return
    }
    
    // 5. Parse request body and process business logic
    var notifyRequest WebhookNotifyRequest
    if err := json.Unmarshal(payload, &notifyRequest); err != nil {
        respondError(w, "ERROR", "Invalid JSON")
        return
    }
    
    if err := processWebhook(&notifyRequest, requestID); err != nil {
        respondError(w, "ERROR", "Processing failed")
        return
    }
    
    // 6. Return success response
    respondSuccess(w, "SUCCESS", "Received")
}
 
// Verify signature
func verifySignature(payload, signature, secret string) bool {
    mac := hmac.New(sha256.New, []byte(secret))
    mac.Write([]byte(payload))
    expectedSignature := hex.EncodeToString(mac.Sum(nil))
    
    return expectedSignature == signature
}
 
// Verify timeliness (optional)
func verifyTimestamp(timestamp string) bool {
    requestTime, err := strconv.ParseInt(timestamp, 10, 64)
    if err != nil {
        return false
    }
    
    currentTime := time.Now().UnixMilli()
    // Only accept requests within 5 minutes
    return abs(currentTime-requestTime) <= 5*60*1000
}
 
// Process business logic (idempotent processing)
func processWebhook(request *WebhookNotifyRequest, requestID string) error {
    // Check if already processed (idempotent)
    if isAlreadyProcessed(request.TransactionID) {
        log.Printf("Transaction already processed: %s", request.TransactionID)
        return nil
    }
    
    // Execute business logic
    if err := updateOrderStatus(request); err != nil {
        return err
    }
    
    // Mark as processed
    return markAsProcessed(request.TransactionID)
}
 
func respondSuccess(w http.ResponseWriter, code, message string) {
    w.Header().Set("Content-Type", "application/json")
    json.NewEncoder(w).Encode(Response{Code: code, Message: message})
}
 
func respondError(w http.ResponseWriter, code, message string) {
    w.Header().Set("Content-Type", "application/json")
    json.NewEncoder(w).Encode(Response{Code: code, Message: message})
}
 
func abs(x int64) int64 {
    if x < 0 {
        return -x
    }
    return x
}
 
func main() {
    http.HandleFunc("/webhook/notify", handleWebhook)
    log.Println("Webhook server listening on port 8080")
    log.Fatal(http.ListenAndServe(":8080", nil))
}

Python


from flask import Flask, request, jsonify
import hmac
import hashlib
import json
import time
 
app = Flask(__name__)
WEBHOOK_SECRET = 'your_webhook_secret_key'
 
@app.route('/webhook/notify', methods=['POST'])
def handle_webhook():
    try:
        # 1. Get request headers
        signature = request.headers.get('X-Signature')
        request_id = request.headers.get('X-Client-Request-Id')
        timestamp = request.headers.get('X-Timestamp')
        
        # 2. Get raw request body (do not deserialize)
        payload = request.get_data(as_text=True)
        
        # 3. Verify signature
        if not verify_signature(payload, signature, WEBHOOK_SECRET):
            return jsonify({
                'code': 'INVALID_SIGNATURE',
                'message': 'Signature verification failed'
            }), 401
        
        # 4. Verify timeliness (optional)
        if not verify_timestamp(timestamp):
            return jsonify({
                'code': 'EXPIRED',
                'message': 'Request expired'
            }), 401
        
        # 5. Parse request body and process business logic
        notify_request = json.loads(payload)
        process_webhook(notify_request, request_id)
        
        # 6. Return success response
        return jsonify({
            'code': 'SUCCESS',
            'message': 'Received'
        })
        
    except Exception as e:
        app.logger.error(f'Failed to process webhook: {e}')
        return jsonify({
            'code': 'ERROR',
            'message': 'Internal error'
        }), 500
 
def verify_signature(payload, signature, secret):
    """Verify signature"""
    try:
        expected_signature = hmac.new(
            secret.encode('utf-8'),
            payload.encode('utf-8'),
            hashlib.sha256
        ).hexdigest()
        
        return expected_signature.lower() == signature.lower()
    except Exception as e:
        app.logger.error(f'Signature verification error: {e}')
        return False
 
def verify_timestamp(timestamp):
    """Verify timeliness (optional)"""
    try:
        request_time = int(timestamp)
        current_time = int(time.time() * 1000)
        # Only accept requests within 5 minutes
        return abs(current_time - request_time) <= 5 * 60 * 1000
    except:
        return False
 
def process_webhook(request_data, request_id):
    """Process business logic (idempotent processing)"""
    transaction_id = request_data.get('transactionId')
    
    # Check if already processed (idempotent)
    if is_already_processed(transaction_id):
        app.logger.info(f'Transaction already processed: {transaction_id}')
        return
    
    # Execute business logic
    update_order_status(request_data)
    
    # Mark as processed
    mark_as_processed(transaction_id)
 
if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

PHP


<?php
 
// Signing secret obtained from SUNBAY Copilot application details
define('WEBHOOK_SECRET', 'your_webhook_secret_key');
 
// Handle Webhook request
function handleWebhook() {
    try {
        // 1. Get request headers
        $signature = $_SERVER['HTTP_X_SIGNATURE'] ?? '';
        $requestId = $_SERVER['HTTP_X_CLIENT_REQUEST_ID'] ?? '';
        $timestamp = $_SERVER['HTTP_X_TIMESTAMP'] ?? '';
        
        // 2. Get raw request body (do not deserialize)
        $payload = file_get_contents('php://input');
        
        // 3. Verify signature
        if (!verifySignature($payload, $signature, WEBHOOK_SECRET)) {
            http_response_code(401);
            echo json_encode([
                'code' => 'INVALID_SIGNATURE',
                'message' => 'Signature verification failed'
            ]);
            return;
        }
        
        // 4. Verify timeliness (optional)
        if (!verifyTimestamp($timestamp)) {
            http_response_code(401);
            echo json_encode([
                'code' => 'EXPIRED',
                'message' => 'Request expired'
            ]);
            return;
        }
        
        // 5. Parse request body and process business logic
        $notifyRequest = json_decode($payload, true);
        processWebhook($notifyRequest, $requestId);
        
        // 6. Return success response
        header('Content-Type: application/json');
        echo json_encode([
            'code' => 'SUCCESS',
            'message' => 'Received'
        ]);
        
    } catch (Exception $e) {
        error_log('Failed to process webhook: ' . $e->getMessage());
        http_response_code(500);
        echo json_encode([
            'code' => 'ERROR',
            'message' => 'Internal error'
        ]);
    }
}
 
/**
 * Verify signature
 */
function verifySignature($payload, $signature, $secret) {
    try {
        $expectedSignature = hash_hmac('sha256', $payload, $secret);
        return strtolower($expectedSignature) === strtolower($signature);
    } catch (Exception $e) {
        error_log('Signature verification error: ' . $e->getMessage());
        return false;
    }
}
 
/**
 * Verify timeliness (optional)
 */
function verifyTimestamp($timestamp) {
    try {
        $requestTime = intval($timestamp);
        $currentTime = intval(microtime(true) * 1000);
        // Only accept requests within 5 minutes
        return abs($currentTime - $requestTime) <= 5 * 60 * 1000;
    } catch (Exception $e) {
        return false;
    }
}
 
/**
 * Process business logic (idempotent processing)
 */
function processWebhook($request, $requestId) {
    $transactionId = $request['transactionId'] ?? '';
    
    // Check if already processed (idempotent)
    if (isAlreadyProcessed($transactionId)) {
        error_log("Transaction already processed: $transactionId");
        return;
    }
    
    // Execute business logic
    updateOrderStatus($request);
    
    // Mark as processed
    markAsProcessed($transactionId);
}
 
// Handle request
handleWebhook();

.NET


using Microsoft.AspNetCore.Mvc;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
 
[ApiController]
[Route("webhook")]
public class WebhookController : ControllerBase
{
    private const string WEBHOOK_SECRET = "your_webhook_secret_key";
    private readonly ILogger<WebhookController> _logger;
    
    public WebhookController(ILogger<WebhookController> logger)
    {
        _logger = logger;
    }
    
    [HttpPost("notify")]
    public async Task<IActionResult> HandleWebhook()
    {
        try
        {
            // 1. Get request headers
            var signature = Request.Headers["X-Signature"].ToString();
            var requestId = Request.Headers["X-Client-Request-Id"].ToString();
            var timestamp = Request.Headers["X-Timestamp"].ToString();
            
            // 2. Read raw request body (do not deserialize)
            using var reader = new StreamReader(Request.Body);
            var payload = await reader.ReadToEndAsync();
            
            // 3. Verify signature
            if (!VerifySignature(payload, signature, WEBHOOK_SECRET))
            {
                return Unauthorized(new
                {
                    code = "INVALID_SIGNATURE",
                    message = "Signature verification failed"
                });
            }
            
            // 4. Verify timeliness (optional)
            if (!VerifyTimestamp(timestamp))
            {
                return Unauthorized(new
                {
                    code = "EXPIRED",
                    message = "Request expired"
                });
            }
            
            // 5. Parse request body and process business logic
            var notifyRequest = JsonSerializer.Deserialize<WebhookNotifyRequest>(payload);
            await ProcessWebhook(notifyRequest, requestId);
            
            // 6. Return success response
            return Ok(new
            {
                code = "SUCCESS",
                message = "Received"
            });
        }
        catch (Exception ex)
        {
            _logger.LogError(ex, "Failed to process webhook");
            return StatusCode(500, new
            {
                code = "ERROR",
                message = "Internal error"
            });
        }
    }
    
    /// <summary>
    /// Verify signature
    /// </summary>
    private bool VerifySignature(string payload, string signature, string secret)
    {
        try
        {
            using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
            var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(payload));
            var expectedSignature = BitConverter.ToString(hash)
                .Replace("-", "").ToLower();
            
            return expectedSignature.Equals(signature, StringComparison.OrdinalIgnoreCase);
        }
        catch (Exception ex)
        {
            _logger.LogError(ex, "Signature verification error");
            return false;
        }
    }
    
    /// <summary>
    /// Verify timeliness (optional)
    /// </summary>
    private bool VerifyTimestamp(string timestamp)
    {
        try
        {
            var requestTime = long.Parse(timestamp);
            var currentTime = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds();
            // Only accept requests within 5 minutes
            return Math.Abs(currentTime - requestTime) <= 5 * 60 * 1000;
        }
        catch
        {
            return false;
        }
    }
    
    /// <summary>
    /// Process business logic (idempotent processing)
    /// </summary>
    private async Task ProcessWebhook(WebhookNotifyRequest request, string requestId)
    {
        // Check if already processed (idempotent)
        if (await IsAlreadyProcessed(request.TransactionId))
        {
            _logger.LogInformation($"Transaction already processed: {request.TransactionId}");
            return;
        }
        
        // Execute business logic
        await UpdateOrderStatus(request);
        
        // Mark as processed
        await MarkAsProcessed(request.TransactionId);
    }
}
 
public class WebhookNotifyRequest
{
    public string TransactionId { get; set; }
    public string TransactionRequestId { get; set; }
    public string ReferenceOrderId { get; set; }
    public string TransactionStatus { get; set; }
    // ... other fields
}

Important Notes

Get the raw request body string first, do not deserialize or reorder fields, use it directly for signature verification
Always verify the signature before processing business logic
Signature verification failure should return HTTP 401 status code
Business processing exceptions should return HTTP 500 status code

Processing Notifications

Idempotency

Due to network reasons, you may receive multiple Webhook notifications for the same transaction. You need to ensure your processing logic is idempotent to avoid business issues caused by duplicate processing (such as duplicate shipments or duplicate inventory deductions).

Recommended idempotency keys:

transactionId
transactionRequestId
X-Client-Request-Id

Processing Flow

It is recommended to process Webhook notifications according to the following flow:

Verify Signature - Confirm the request is from SUNBAY
Check Idempotency Key - Query locally whether the transaction has been processed
Execute Business Logic - Update order status, trigger subsequent processes
Record Processing Status - Mark as processed to prevent duplication
Return 200 - Inform SUNBAY of successful receipt

Best Practices

Quick Response: It is recommended to adopt an asynchronous processing mode, return HTTP 200 immediately after receiving the notification, then put the task in a queue for asynchronous processing
Unified Status Management: Transaction results may be obtained through multiple channels (synchronous return, active query, Webhook). It is recommended to use transactionId as the primary key for unified status management
Log Recording: Completely record key fields such as X-Client-Request-Id and transactionId for easy troubleshooting

Retry and Circuit Breaking

Retry Strategy

When your service returns a non-HTTP 200 status code or the request times out, we will automatically retry.

Retry Count	Retry Interval
1-3	5 seconds
4-6	30 seconds
7	1 minute
8	5 minutes
9	30 minutes
10	2 hours
11	4 hours
12	6 hours

Maximum of 12 retries, after which it will be marked as final failure.

Circuit Breaking Mechanism

To protect both systems, we implement a circuit breaking strategy. When a notification address reaches the failure threshold consecutively, notifications to that address will be suspended.

The following are default configurations (may be adjusted based on specific circumstances):

Failure Count	Circuit Breaking Duration
≥ 20 times	1 hour
≥ 50 times	6 hours
≥ 100 times	24 hours

Important Notes

Ensure Webhook service is highly available and quickly returns HTTP 200 status code
Do not rely entirely on Webhook, it is recommended to use transaction query interface for compensation to avoid missing orders

Response Format

We only care about the HTTP 200 status code, the response body content is not mandatory. However, it is recommended to return standard JSON format for easy log analysis and troubleshooting.

Success Response


HTTP/1.1 200 OK
Content-Type: application/json
 
{
  "code": "SUCCESS",
  "message": "Received"
}

Failure Response


HTTP/1.1 500 Internal Server Error
Content-Type: application/json
 
{
  "code": "INTERNAL_ERROR",
  "message": "Service temporarily unavailable"
}

Testing and Go-Live

Testing Checklist

Before going live, please ensure:

Signature verification logic is correct
Idempotent processing logic is complete
Asynchronous processing mechanism is ready
Log recording is complete (including key fields such as X-Client-Request-Id, transactionId)
Exception handling (timeout, retry, etc.)
Monitoring and alerting configuration is complete

Production Environment Recommendations

High Availability: Ensure Webhook service is stable and available to avoid triggering circuit breaking
Asynchronous Processing: Interface quickly returns HTTP 200, business logic is put in queue for asynchronous processing
Monitoring and Alerting: Monitor key metrics such as receipt success rate and processing time
Fallback Plan: Use transaction query interface to regularly compensate for missed notifications