What are Webhooks?
Webhooks allow your application to receive real-time notifications when events occur in HOST Pay. Instead of polling the API, HOST Pay will send HTTP POST requests to your specified endpoint whenever a transaction or account event takes place.Common Use Cases
Payment Confirmation
Get notified the moment deposits are successfully processed
Transfer Updates
Track wallet-to-wallet transfers in real time
Payout Status
Monitor withdrawal processing and failures
Balance Changes
React to wallet balance and fee events as they happen
Webhook Events
HOST Pay sends webhooks for payment, transfer, payout, wallet, transaction, escrow, and system events. You can subscribe to individual events or use wildcards (e.g.,payment.*) to receive all events in a group.
See Webhook Events for the full list of event types and subscription patterns.
Webhook Payload
Every webhook delivers a JSON body with this structure:status field inside data reflects the outcome extracted from the event type (e.g., succeeded, failed, created). The metadata object carries any additional context attached to the event.
The event type itself (
payment.succeeded, payout.failed, etc.) is identified by the X-Webhook-Version and event delivery headers, not an event field in the body.Request Headers
Every webhook delivery includes these headers:| Header | Description |
|---|---|
X-HostPay-Signature | HMAC-SHA256 signature of the payload (format: v1=<hex>) |
X-Webhook-Timestamp | Unix timestamp (seconds) when the webhook was sent |
X-Webhook-Version | API version string (e.g., 2025-01) |
X-Webhook-Source | Always HostPay |
X-HostPay-Delivery-Id | Unique delivery ID for idempotency tracking |
Idempotency-Key | Same as X-HostPay-Delivery-Id |
Setting Up Webhooks
Create Endpoint
Set up an HTTPS endpoint to receive POST requests (e.g.,
https://yourapp.com/webhooks/hostpay)Configure in Dashboard
Add your webhook URL and select the events you want to subscribe to in the
HOST Pay dashboard
Store Your Secret
Save the webhook secret displayed during setup — you’ll need it to verify
signatures
Verify Signatures
Validate every incoming webhook’s signature before processing it — see Security
Test
Send a
test.ping event from the dashboard and confirm your endpoint
receives it — see TestingBest Practices
Respond Quickly — Process Async
Respond Quickly — Process Async
Return a
200 OK as soon as you receive the webhook, then process it in the background. HOST Pay considers any non-2xx response a failure and will retry.Handle Duplicates (Idempotency)
Handle Duplicates (Idempotency)
The same event may be delivered more than once. Use the
X-HostPay-Delivery-Id header or data.id to detect duplicates and skip re-processing.Validate Timestamps
Validate Timestamps
Check that
X-Webhook-Timestamp is within 5 minutes of your server time to prevent replay attacks. Reject requests that are too old.Use HTTPS Only
Use HTTPS Only
Your endpoint must be served over HTTPS. HTTP endpoints will not receive webhooks.
Monitor Failures
Monitor Failures
Track failed deliveries in your logs and set up alerts. After all retry attempts are exhausted, no further automatic retries will occur.
Test in Test Mode First
Test in Test Mode First
Use Test Mode and the
test.ping event to validate your endpoint before processing live events.Retry Policy
If your endpoint returns a non-2xx status code or times out, HOST Pay retries the delivery automatically:- Up to 10 retry attempts after the initial delivery failure
- Exponential backoff: the delay between attempts doubles each time, starting at 60 seconds and capping at 30 minutes
- After all attempts are exhausted, the delivery is marked failed and no further retries occur
Next Steps
Webhook Events
Browse every event type and subscription pattern
Security
Verify signatures before processing events
Testing
Validate your endpoint before going live