EBANX sends a notification each time a payment status changes, which consists of an HTTP POST to an URL specified on your Dashboard.

The following parameters are sent:

operation=payment_status_change&notification_type=update
&hash_codes=53ad936c0dfb7b008d57bf7d396c83a28d24869949fdc84f

It’s also possible that is sent an an array of hashes separated by commas:

operation=payment_status_change&notification_type=update
&hash_codes=53ad936c0dfb7b008d57bf7d396c83a28d24869949fdc84f,cc6d7065bd3842c9fd56f993dba4d900b428d9373878aff8

Parameters

operation

string

The value is always payment_status_change.

notification_type

string

Event that triggered the notification:

  • update: the payment status has changed from PE to CO or CA.
  • chargeback: a chargeback was issued for this payment.
  • refund: a refund was issued for this payment.
  • chargeback_credit: a chargeback credit was issued for this payment.

hash_codes

string

A single hash or an array of hashes separated by commas.

We expect a HTTP 200 code as a response.

After receiving the notification, you should call the API method query to fetch the current payment status, and then use it to process the payment on your system.

Notification signature

EBANX signs every notification request using a private certificate and send the signature in the HTTP headers. The merchant can verify if the request really came from EBANX by validating the digital signature using our public certificate.

The available certificates and their fingerprints are shown on the table below:

Fingerprint Certificate
4ABAD89CF66B99998465470550EB15E3E271A246 Download

EBANX will send the following headers in the notification request:

X­-Signature­Type: rsa,sha1
X­-Signature­Fingerprint: 4ABAD89CF66B99998465470550EB15E3E271A246
X-­Signature­Content: xh5hstzZt5Rf5ihNzbfFfkmN89askd...DrHJAnzHgaf2vzA==

X­-Signature­Type

The signing algorithm. EBANX will always use RSA/SHA1.

X­-Signature­Fingerprint

The signature fingerprint. It indicates which certificate was used to sign the notification.

X­-­Signature­Content

The signed payload, encoded as a Base64 string.

The signature can be validated in PHP as follows:

$cert      = file_get_contents('ebanx-notifications-public.pem');
$data      = file_get_contents("php://input");
$signature = base64_decode($_SERVER['HTTP_X_SIGNATURE_CONTENT']);

// http://php.net/manual/en/function.openssl-verify.php
$result = openssl_verify($data, $signature, $cert);

if ($result === 1)
{
  echo "OK, signature is correct.";
}
else
{
  echo "ERROR, the signature is incorrect.";
}