search

globe-pointerPostback

Postback (also known as callback or webhook in some systems) is a message sent from Paykassma to the client's server to notify about certain events. Currently, our platform sends postbacks only for successful payments.

By default, a postback is sent as an HTTP POST request to the postback_url provided by the client during onboarding. This URL can also be overridden for each individual order by specifying a new value in the request body.

If the postback was successfully handled by client's system, it's expected to respond with HTTP 200 code. The response body should be empty.

If the response has any other code than HTTP 200, Paykassma will attempt to deliver postback again up to 5 times with increasing interval.

circle-info

If a postback has already been processed by the client's system before, Paykassma still expects to receive HTTP 200 code as a response. This will prevent any further delivery attempts.

In case of duplicate postback deliveries, the client should process each payment only once, and never credit or debit funds twice in its own system.

chevron-rightExample postback bodyhashtag

{ "general": { "project_id": 1, "client_id": 1, "signature": "RzTMyX5jQ/DGmu9HqlIYupd5Bm+R4tMKCYrRDzBsoSbU8J6WP+FGAg5R9vFqPDFGgr4XwUIjiCyYHXi+1Y+Idw==", "request_time": 1753311639 },

"order": { "id": "5764607523046000759", "type": "PAYIN", "status": "SUCCESS", "payment_method": "upi_p2c", "merchant_id": "ABC-XYZ", "amount": 1000, "currency": "INR", "success_url": "https://client_domain.com/success", "pending_url": "https://client_domain.com/pending", "fail_url": "https://client_domain.com/fail", "cancel_url": "https://client_domain.com/cancel", "postback_url": "https://backend.client_domain.com/postback", "payment_url": "https://payment_domain.com/5764607523046000759" },

"payment": { "type": "PAYIN", "amount": 1000, "currency": "INR", "created_at": "2025-10-23 15:46:24", "customer_account": "account@bank" } }

Each postback body contains a signature. This signature is generated using the secret postback_key provided upon onboarding. To validate that the postback was sent by our platform:

  1. Remove the general.signature field from the received body

  2. Generate a signature for the remaining JSON using your postback_key

  3. Verify that the received signature matches your generated signature

If signatures don't match, do not accept or process the postback.

PreviousSignatureNextReference

Last updated