Webhook Verification Guide

Verify Kang Open Banking webhook signatures using HMAC-SHA256. Event types, retry policy, and idempotent handling for payment notifications.

Webhook Integration

Receive real-time payment notifications via HTTPS webhooks with cryptographic signature verification.

Signature Verification

All webhooks are signed using HMAC-SHA256. Verify the X-KOB-Signature header against the raw request body.

const crypto = require('crypto');
const signature = crypto.createHmac('sha256', webhookSecret)
  .update(rawBody).digest('hex');
const isValid = signature === receivedSignature;

Event Types

• payment.completed — Payment successfully processed
• payment.failed — Payment attempt failed
• payment.refunded — Refund completed
• transfer.completed — Bank transfer settled
• payout.sent — Payout dispatched
• webhook.test — Test ping event

Retry Policy

Failed deliveries are retried with exponential backoff: 1min, 5min, 30min, 2hr, 12hr, 24hr (6 attempts total). Return HTTP 2xx to acknowledge.

---