Webhooks

Verify OasisPay Events

OasisPay sends `X-OasisPay-Signature`, `X-OasisPay-Timestamp`, and `X-OasisPay-Event`. Verify `HMAC_SHA256(timestamp + "." + rawBody, webhookSecret)`.

// Node.js / JavaScript
import crypto from "crypto";

function verifyWebhook(rawBody, headers, secret) {
  const timestamp = headers["x-oasispay-timestamp"];
  const signature = headers["x-oasispay-signature"];
  const expected = crypto
    .createHmac("sha256", secret)
    .update(timestamp + "." + rawBody)
    .digest("hex");
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

Events

payment.success, payment.failed, virtual_account.credit, transaction.created, settlement.completed, payout.successful, payout.failed