Webhooks are how your backend learns the outcome of a payment. When a payment changes state, Quidkey delivers a signed event to your registered URL. This is the source of truth: never rely on a browser redirect to confirm a payment.
Redirects can fail, be interrupted, or be triggered by a customer who never paid. Always confirm payment via the webhook (or the status endpoint), not the redirect.
The webhook_secret is returned once. Store it immediately in a secure vault (AWS Secrets Manager, HashiCorp Vault, etc.). If you lose it, generate a new one.
3
Revoke the secret (if needed)
Roll or revoke the secret during incident response. Generate a new one afterwards.
curl -X POST 'https://core.quidkey.com/api/v1/webhooks/secret/revoke' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'
On the wire, amount is a string holding a stringified integer of minor units ("1999" = £19.99), and the fees numeric fields (total_fees, each fee’s amount, rate_value) are strings too. Parse them before doing arithmetic.
Field
Description
id
Unique event ID (evt_...). Use this to de-duplicate: see below.
Quidkey signs each delivery with an HMAC. You must verify the signature before trusting or parsing the payload, otherwise anyone who discovers your URL could forge events.
The signature is an HMAC SHA-256 over the string `${timestamp}.${rawBody}` (the timestamp, a literal dot, then the raw request body), keyed by your webhook signing secret.
The HMAC key is the full secret, including the whsec_ prefix, used verbatim. Do not strip whsec_ before computing the HMAC.
Verify against the raw request body bytes, exactly as received. If your framework parses JSON before you can read the raw body, the bytes change and verification will fail. Capture the raw body first (e.g. express.raw()), then parse only after the signature checks out.
Quidkey’s envelope and signature scheme are Stripe-compatible, so the Stripe SDK verifies them directly. Pass the raw body and the Stripe-Signature header, keyed by your full whsec_... secret.
import express from 'express';import Stripe from 'stripe';const stripe = new Stripe(process.env.STRIPE_API_KEY);const app = express();// IMPORTANT: raw body so the bytes match what was signedapp.post( '/webhooks/quidkey', express.raw({ type: 'application/json' }), (req, res) => { let event; try { event = stripe.webhooks.constructEvent( req.body, // raw Buffer req.get('stripe-signature'), // t=...,v1=... process.env.QUIDKEY_WEBHOOK_SECRET, // full "whsec_..." secret ); } catch (err) { return res.status(400).send(`Invalid signature: ${err.message}`); } // event is verified: safe to handle handleEvent(event); res.status(200).send('OK'); },);
If you do not use the Stripe SDK, verify the HMAC yourself with a timing-safe comparison and a timestamp tolerance to reject replays.
import crypto from 'crypto';import express from 'express';const TOLERANCE_SECONDS = 300; // reject events older than 5 minutesfunction verifyQuidkeySignature(rawBody, signatureHeader, secret) { const match = signatureHeader?.match(/^t=(\d+),v1=([a-f0-9]+)$/); if (!match) throw new Error('Malformed signature header'); const [, timestamp, providedV1] = match; // Reject stale events (replay protection) const age = Math.floor(Date.now() / 1000) - Number(timestamp); if (Math.abs(age) > TOLERANCE_SECONDS) throw new Error('Timestamp outside tolerance'); // HMAC over `${timestamp}.${rawBody}`, keyed by the FULL secret (incl. whsec_) const expected = crypto .createHmac('sha256', secret) .update(`${timestamp}.${rawBody}`) .digest('hex'); const a = Buffer.from(expected); const b = Buffer.from(providedV1); if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) { throw new Error('Signature mismatch'); }}const app = express();app.post( '/webhooks/quidkey', express.raw({ type: 'application/json' }), (req, res) => { try { verifyQuidkeySignature( req.body, // raw Buffer req.get('x-signature'), // or req.get('stripe-signature') process.env.QUIDKEY_WEBHOOK_SECRET, // full "whsec_..." secret ); } catch (err) { return res.status(400).send(`Invalid signature: ${err.message}`); } const event = JSON.parse(req.body.toString()); // parse only after verifying handleEvent(event); res.status(200).send('OK'); },);
import hashlibimport hmacimport timeTOLERANCE_SECONDS = 300 # reject events older than 5 minutesdef verify_quidkey_signature(raw_body: bytes, signature_header: str, secret: str) -> None: # Header format: t=<unix>,v1=<hex-hmac> parts = dict(p.split('=', 1) for p in signature_header.split(',')) timestamp, provided_v1 = parts['t'], parts['v1'] # Reject stale events (replay protection) if abs(int(time.time()) - int(timestamp)) > TOLERANCE_SECONDS: raise ValueError('Timestamp outside tolerance') # HMAC over f"{timestamp}.{raw_body}", keyed by the FULL secret (incl. whsec_) signed_payload = f"{timestamp}.".encode() + raw_body expected = hmac.new(secret.encode(), signed_payload, hashlib.sha256).hexdigest() if not hmac.compare_digest(expected, provided_v1): raise ValueError('Signature mismatch')
Terminal vs transitional states.pending is transitional and resolves to one of succeeded, failed, or canceled. succeeded is otherwise terminal, but a settled payment can still move to reversed later if it is refunded or reversed. A reversal is identified by the event type (quidkey.payment_request.reversed); there is no distinct reversed status value, so data.object.status stays the underlying transaction status (e.g. completed).
function handleEvent(event) { // De-duplicate: skip if this event.id was already processed if (alreadyProcessed(event.id)) return; const payment = event.data.object; switch (event.type) { case 'quidkey.payment_request.succeeded': fulfilOrder(payment.metadata.order_id, payment); if (payment.fees) recordFees(payment.metadata.order_id, payment.fees); break; case 'quidkey.payment_request.failed': markFailed(payment.metadata.order_id); break; case 'quidkey.payment_request.canceled': // one 'l' markCancelled(payment.metadata.order_id); break; case 'quidkey.payment_request.pending': markPending(payment.metadata.order_id); break; case 'quidkey.payment_request.reversed': reverseOrder(payment.metadata.order_id); break; } markProcessed(event.id);}
Quidkey makes a single delivery attempt per event. There is no automatic retry. If your endpoint is down or returns a non-2xx, the event is not retried automatically; you resend it manually.
Manual resend. You can resend a delivery from the Quidkey Console. A resend reuses the same event.id and is re-signed with a fresh timestamp (so the signature and timestamp tolerance still validate).
Because resends reuse the same event.id, your handler must de-duplicate on event.id. Record processed event IDs and skip any you have already handled; otherwise a resend will fulfil the same order twice.
If you suspect a webhook was missed (endpoint downtime, etc.), reconcile by querying the payment’s current status directly. This protected merchant endpoint returns the authoritative state:
Use the status endpoint as a backstop, not a substitute for webhooks. Poll it for payments where you expected an event but never received one, then resend from the Console if needed.
Capture the raw body, verify the signature against it (full secret, including whsec_), and only then parse the JSON. Reject anything that fails with a 400.
De-duplicate on event.id
Persist every processed event.id. Resends reuse the ID, so this is what keeps fulfilment exactly-once.
Respond fast, work async
Return 200 quickly and do heavy work (fulfilment, emails) asynchronously. A slow handler can time out the delivery.
Enforce a timestamp tolerance
Reject events whose X-Timestamp is outside ~300 seconds of now to defend against replay attacks.
