Pay attention: It's only possible to create (or update) only ONE webhook per order type.

Here are examples of the types of requests that you can configure to receive webhooks, along with their respective statuses:

• PixPaymentReceivement: Used to receive notifications regarding the receipt of payments via Pix.
• PixPayment: Used to receive notifications regarding payments made through Pix.
• InternalTransfer: Used to receive notifications regarding internal transfers.
• InternalTransferReceivement: Used to receive notifications regarding the receipt of internal transfers.
• Fee: Used to receive notifications regarding fees or charges applied to transactions.
• PixRefund: Used to receive notifications regarding refunds made through Pix.
• PixRefundReceivement: Used to receive notifications regarding the receipt of refunds via Pix.

When creating an webhook, the response will return a secret. This secret is used to validate that the request is comming from our API.

When your application receive an webhook call, the request will contain a Signature header.

➡️

Important:

It is HIGHLY RECOMMENDED that you validate the signature before make any action in you application.

Below there is an example for how to validate the signature:

// payload is the array passed to the `payload` method of the webhook
// secret is the string given to the `signUsingSecret` method on the webhook. 

$signature = hash_hmac('sha256', $responseBodyContents, $secret);

// Then check if the resulting signature is equals to request signature.
// If don't, the request may be fraudulent.

if($signature !== $requestSignature) {
	// Throws an exception for possibly fraudulent request
}