Webhooks
Webhooks are HTTP callbacks that receive notification messages for events. To be able to receive webhook notifications, you must configure your server to listen to incoming HTTP POST messages and register it by passing the URL in the merchantUrls.callback optional body parameter every time you create an order payment.
We sign each notification message that we deliver to your webhook listener. It is your choice to verify this signature.

Events and status codes:

There are several events that trigger a notification:
  • an order payment was created (status: INITIAL)
  • the order payment was claimed by a user logging into the checkout page (status: CLAIMED)
  • an order payment is fulfilled, i.e. payment is processed (status: SETTLED)
  • an order payment is denied, i.e. payment is denied (status: DENIED)
  • an order payment is waiting fulfilment, i.e. payment is still being processed (status: PENDING)

Notification message:

The notification message contains the order payment, including their specific status at that time:
1
{
2
amount: 30000,
3
currency: 'EUR',
4
createdAt: '2021-09-30T11:54:04.148Z',
5
id: '01FGV8VVYWSKYHGKPPZWMXWN8D',
6
merchantReference: 'dev test',
7
prescriptionRequired: false,
8
status: 'INITIAL',
9
updatedAt: null
10
}
Copied!
In addition, 3 event headers will aid you in validating the source of the notification:
Event Header
Description
Hi-Api-Signature
asymmetric signature generated by Hi.Health
Hi-Api-Signature-Format
encoding of the signature that you can use in the verification process
Hi-Api-Hash-Algorithm
algorithm used to generate the signature and that you use in the verification process

Verification process:

To generate the signature we use an asymmetric signature algorithm such as RSA with SHA256. We take the body of the notification which we sign with a private key and encode it using the encoding specified in Hi-Api-Signature-Format for http transport thus enabling you to use a public key to verify the webhook.
To get the public certificate, follow this link for Staging or this link for Production. You will have to store it and have it accessible during the verification process.
Example of verification using node.js:
1
// Node.js
2
import crypto from 'crypto'
3
4
const algo = <Hi-Hash-Algorithm value>
5
const format = <Hi-Signature-Format value>
6
const signature = <Hi-Signature value>
7
const publicKey = fs.readFileSync(<path_to_Public_Certificate>, 'utf8')
8
const orderPayment = <body-of-the-POST-request>
9
10
const verifier = crypto.createVerify(algo)
11
verifier.update(JSON.stringify(orderPayment))
12
const verificationResult = verifier.verify(publicKey, signature, format)
Copied!
Example of verification using php:
1
$headers = getallheaders();
2
3
// read the public certificate
4
$fp = fopen("webhook.crt", "r");
5
$cert = fread($fp, 8192);
6
fclose($fp);
7
8
// decoding depends on the value of Hi-Api-Signature-Format
9
$signature = base64_decode($headers['Hi-Api-Signature'])
10
11
// Signature verification
12
$cert_test = openssl_verify($body_post_data, $signature, $cert, OPENSSL_ALGO_SHA256);
13
14
if ($cert_test == 1) {
15
// Display Success
16
} elseif ($cert_test == 0) {
17
// Display Error
18
}
Copied!
If the verification passes, then you can safely process the notification.
If the verification fails, you have to discard the notification and inform us at [email protected]