What Are Webhooks?
When a transaction status changes — for example, when a PIX payment is confirmed — CertoPay sends an HTTPPOST request containing a JSON payload to the URL you register. Your server processes that payload and responds with an HTTP 200 to acknowledge receipt.
PIX and Boleto payments are asynchronous by nature. Your checkout flow creates the transaction and shows the payment instructions to the buyer, but the actual confirmation arrives later via webhook. Without a registered webhook endpoint, your system has no reliable way to know when those payments clear.
- Delivered as
HTTP POSTwithContent-Type: application/json - Include an
eventtype, a timestamp, and adataobject with transaction details - Retried automatically when your endpoint does not respond with
200 - Fully auditable through the delivery history endpoint
Register or Update a Webhook
Your account can have one active webhook URL at a time. Calling the upsert endpoint either registers a new URL or replaces the existing one.| Field | Type | Required | Description |
|---|---|---|---|
url | string | ✅ Yes | The publicly reachable HTTPS URL that will receive webhook POST requests. |
Query Your Registered Webhook
Retrieve the currently registered webhook URL for your account.Disable Your Webhook
Sending aDELETE request removes the registered webhook endpoint. No further events will be delivered until you register a new URL.
HTTP 204 No Content.
Webhook Payload Format
Every event delivered by CertoPay shares the same top-level envelope, regardless of event type. Thedata object contains the details specific to the transaction that triggered the event.
| Field | Type | Description |
|---|---|---|
event | string | The event type identifier, e.g. transaction.paid. |
created_at | string | ISO 8601 UTC timestamp of when the event was generated. |
data | object | Transaction details for the event. |
data object fields
| Field | Type | Description |
|---|---|---|
transactionId | string | Unique identifier of the transaction (UUID). |
orderId | string | Identifier of the associated order (UUID). |
amount | integer | Transaction amount in centavos (e.g. 29700 = R$ 297,00). |
method | string | Payment method: PIX, BOLETO, or CREDIT_CARD. |
status | string | Current transaction status (see Events). |
paidAt | string | ISO 8601 UTC timestamp of when payment was confirmed. Present only on transaction.paid events. |
Handling Deliveries
Responding to CertoPay
Your webhook endpoint must return an HTTP200 status code within 5 seconds of receiving the request. Any other status code, or a response that takes longer than 5 seconds, is treated as a failed delivery and queued for retry.
The 5-second timeout is strict. If your handler needs to perform slow operations — such as writing to a database, sending emails, or calling third-party APIs — acknowledge the webhook immediately with
200 and process the event asynchronously in a background job.Automatic Retries
When a delivery fails, CertoPay retries it automatically using an exponential backoff schedule. Retries continue until a200 is received or the maximum retry window is exhausted. Ensure your handler is idempotent — the same event may be delivered more than once.
Viewing Delivery History
You can inspect every delivery attempt made to your endpoint, including request/response details and status.| Filter | Description |
|---|---|
?status=SUCCESS | Deliveries acknowledged with HTTP 200. |
?status=FAILED | Deliveries that received a non-200 response or timed out. |
?status=PENDING | Deliveries scheduled for their first attempt or a retry. |
Retrying a Delivery Manually
If a delivery failed and you want to re-trigger it without waiting for the next automatic retry, use the manual retry endpoint.{deliveryId} with the delivery identifier returned by the delivery history endpoint.
Delivery history response example
Delivery history response example
Verifying Events
Receiving a webhook is not enough on its own to confirm a payment. The payload could be replayed, spoofed, or represent an intermediate state. Before granting product or service access, always verify the transaction status directly with the CertoPay API.status: "PAID".
Recommended verification flow
- Receive the
POSTto your webhook endpoint. - Parse the
transactionIdfromdata.transactionId. - Call
GET /api/transactions/{transactionId}using your API key. - Check that the response
statusmatches your expected value (e.g.PAID). - Fulfill the order in your system.
- Respond
HTTP 200to CertoPay.