Webhook Callback
Overview
TemboPlus provides a webhook-based callback service that enables merchants to receive notifications of transactions in their virtual accounts. When a new transaction occurs, the system submits a callback request to a designated URL using the POST method.
Request Structure
HTTP Method
POST
Headers
content-type
application/json
x-request-id
A unique UUID tracking the request. Callbacks related to the same request share the same ID.
x-request-timestamp
Number of milliseconds since the Unix epoch, indicating when the request was sent.
x-request-signature
HMAC signature for verifying the authenticity and integrity of the payload.
Payload Details
accountNo
String
The merchant virtual account number where the transaction occurred.
payerName
String
The name of the payer. This field will be set to null for debit transactions. If the system fails to extract the payer's name, this field will also be set to null.
id
UUID
A globally unique identifier for this transaction.
transactionId
String
Identifies a transaction within the banking system. If the transaction has related sub-transactions, such as charges or VAT, these related transactions will share the same transaction ID, and as a result, this field may not be unique.
reference
String
A unique reference for the transaction, generated by the system. However, certain transactions, such as VAT or bank charges, may have a fixed reference, meaning this field may not be unique for these transaction types.
transactionType
String
The type of transaction. Example: H4.
channel
String
The channel through which the transaction was made. Example: CMM.
transactionDate
DateTime
Timestamp of the transaction.
postingDate
DateTime
Timestamp when the transaction was posted.
valueDate
DateTime
Value date of the transaction.
narration
String
Description or details of the transaction.
currency
String
Currency code for the transaction (e.g., TZS, USD).
amountCredit
Decimal
Amount credited to the account.
amountDebit
Decimal
Amount debited from the account.
clearedBalance
Decimal
The cleared balance in the account after the transaction.
bookedBalance
Decimal
The booked balance in the account after the transaction.
Sample Payload
Security and Signature Verification
To ensure the integrity and authenticity of the callback payload, TemboPlus signs each request using an HMAC signature. The signature is provided in the x-request-signature
header.
Signature Generation
The signature is computed using the following steps:
Generate a Timestamp A timestamp is generated at the time of request in milliseconds since the Unix epoch. This value is sent in the
x-request-timestamp
header.Concatenate Fields A string is formed by concatenating specific fields from the payload in the following order:
Truncated Values: Amount-related fields (amountCredit, amountDebit, clearedBalance, bookedBalance) are truncated to remove decimal values. For example, 97000000.34 becomes 97000000.
Compute the HMAC Using the concatenated string:
The HMAC digest is computed with the SHA-256 hashing algorithm.
The secret key, specific to the account, is base64-decoded before use.
The resulting digest is encoded as a base64 string to produce the final signature.
Send the Signature
The computed signature is included in the
x-request-signature
header.The
x-request-timestamp
header accompanies the request to provide the timestamp used during signature generation.
Example Implementation
Below is a sample code snippet for verifying the signature in Node.js:
Additional Notes
Timestamp Validity
Ensure the
x-request-timestamp
is recent (e.g., within 5 minutes) to mitigate replay attacks.However, note that callbacks may be retried by the system in case of server errors or network outages.
In such cases, the retried callback will carry the original timestamp, which may fall outside the expected window.
As a result, timestamp validation may fail for these retries. You may consider not validating timestamps at all to avoid such issues.
Truncated Values
The truncation step ensures consistency in signature computation. Decimal values must be removed before concatenation.
Handling Secret Keys
The secret key will be shared during onboarding and can be changed upon request if it is determined that the key has been compromised or needs to be rotated to meet your organization policy.
Last updated