Webhooks

Register Webhook

The HMAC signing secret is generated server-side and returned once in this response — store it securely. You will use it to verify the Stablepay-Signature header on every delivered event.

Signature verification (Node.js):

const crypto = require('crypto');
function verify(secret, body, sigHeader) {
  const expected = 'sha256=' + crypto.createHmac('sha256', secret).update(body).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(sigHeader), Buffer.from(expected));
}

Event types:

Type	Description
`payment.processing`	USDC broadcast on-chain
`payment.succeeded`	Payout confirmed by provider
`payment.failed`	Payout failed (all retries exhausted)
`payment.refunded`	Payment manually refunded by ops

Pass an empty events array to subscribe to all event types.

POST

webhooks

curl --request POST \
  --url https://stablepay-money-api-production.up.railway.app/v1/webhooks/register \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "url": "https://app.walletIssuer.io/webhooks/stablepay",
  "events": [
    "payment.succeeded",
    "payment.failed",
    "payment.processing"
  ]
}
'

{
  "webhookId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "url": "<string>",
  "events": [
    "<string>"
  ],
  "secret": "a3f7c2e1d4b8a0..."
}

The secret field is returned only once at registration time. Store it securely — it cannot be retrieved again. Use it to verify incoming Stablepay-Signature headers on your endpoint.

Authorizations

Authorization

string

header

required

Stablepay API key. Include as Authorization: Bearer <key>.

Body

application/json

url

string<uri>

required

Your HTTPS endpoint that will receive POST requests.

Example:

"https://app.walletIssuer.io/webhooks/stablepay"

events

string[]

Event types to subscribe to. Empty array = all events.

Example:

["payment.succeeded", "payment.failed"]

Response

201 - application/json

Webhook registered. Save the secret — it is not retrievable after this response.

webhookId

string<uuid>

required

Registration ID.

url

string<uri>

required

events

string[]

required

secret

string

required

HMAC signing secret — returned once only. Store in your secrets manager. Used to verify Stablepay-Signature on inbound events.

Example:

"a3f7c2e1d4b8a0..."

FX Rate Replay Webhook