Webhook Management
Webhook notifications let your backend react in real time when a payment’s statusCode
changes. Each terminal has exactly one default webhook URL. You can:
Set or update the URL
Delete the URL
Verify events with the returned
signingSecret
Per-payment overrides Passing a
webhookUrls
array inPOST /payments/crypto
adds extra endpoints for that single payment. The terminal webhook configured here still receives every event.
Set / Update the webhook URL
Endpoint
PUT /Terminals/{terminalId}/webhook
Headers
Authorization: Bearer {access_token}
Content-Type: application/json
Request body
{
"webhookUrl": "https://yourapp.com/webhooks/payment-status"
}
Example (cURL)
curl -X PUT "https://api.test.devs.beadpay.io/Terminals/TERM-123/webhook" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"webhookUrl":"https://yourapp.com/webhooks/payment-status"}'
Success response
{
"terminalId": "TERM-123",
"webhookUrl": "https://yourapp.com/webhooks/payment-status",
"signingSecret": "abc123secret",
"updated": "2025-07-09T15:02:10Z"
}
Keep signingSecret
safe—use it to verify the x-webhook-signature
header on incoming events.
Delete the webhook URL
Endpoint
DELETE /Terminals/{terminalId}/webhook
Example (cURL)
curl -X DELETE "https://api.test.devs.beadpay.io/Terminals/TERM-123/webhook" \
-H "Authorization: Bearer $ACCESS_TOKEN"
Success response
{
"terminalId": "TERM-123",
"webhookUrl": null
}
Best-practice tips
Respond with HTTP 200 quickly
Any non-2xx triggers retries (exponential back-off for 24 h).
Verify every event (x-webhook-signature
+ signingSecret
)
Prevent spoofing and replays.
Use environment-specific URLs (dev / staging / prod)
Keeps test traffic isolated.
Handle enum statusCode
strings (completed
, underpaid
, etc.)
Numeric codes were removed in May 2025.
Remember fan-out
Events go to this URL and any webhookUrls
supplied per payment.
Need help? Email [email protected].
Last updated