1. Introduction

This document outlines the steps to configure a PostBack URL within the MyXspend portal. A PostBack URL enables MyXspend to notify merchants about transaction status updates in real-time.

2. Overview

To receive transaction status updates via a postback request, merchants must configure their PostBack URL within the MyXspend portal. When a transaction reaches a terminal state, MyXspend will trigger an HTTP GET request to the specified PostBack URL, appending relevant query parameters.

2.1 PostBack URL Query Parameters

The following query parameters will be included in the GET request:
  • customerOrderId: The unique transaction identifier provided by the merchant in the /payment/process API request.
  • status: The final status of the transaction, which can be one of the following values:
    • SUCCESSFUL: Indicates that the transaction was completed successfully.
    • EXPIRED: Indicates that the transaction was not completed within the allowed time frame.
    • FAILED: Payment failed (e.g. invalid card, failed KYC).
  • dateTime: The date of successful payment in YYYY-MM-DD format (GMT timezone). If the payment failed or expired, this will be null.
  • amount: The amount paid by the user. This may differ from the amount in the original /process request if the merchant allows flexibility.
  • currency: The currency in which the user paid. This may differ from the original currency in the /process request if the merchant accepts multiple currencies.

2.2 Important Considerations

  • If a transaction status is EXPIRED, multiple callbacks may be received.
  • The SUCCESSFUL status is definitive and will not change.
  • Only HTTP GET requests are supported for PostBack URLs.
  • Order of Parameters Matters: The query parameters must appear in the exact order shown above, and their casing must match exactly. This is critical for correct signature validation.
  • Signed as a String: The full URL with parameters is treated as a single string before signing.
By properly configuring a PostBack URL, merchants can seamlessly receive and process transaction status updates, ensuring accurate order management and real-time status tracking.

2.3 How We Construct the Payload

We generate the signed payload by taking the callback URL you provided in the MyXspend portal and appending the following query parameters: 
?customerOrderId={CUSTOMER_ORDER_ID}&status={STATUS}&dateTime={DATE}&amount={AMOUNT}&currency={CURRENCY}

Example

If your registered callback URL is: 
https://mycallbackurl.com/myxspend

✅ Successful Payment

https://mycallbackurl.com/myxspend?customerOrderId=123456&status=SUCCESSFUL&dateTime=2025-05-29&amount=18.0&currency=EUR

❌ Failed Payment

https://mycallbackurl/myxspend?customerOrderId=123456&status=FAILED&dateTime=null&amount=18

2.4 Signature Key

To ensure the security of our webhook calls, we sign each payload using the HMAC-SHA256 algorithm and then encoded in Base64 format. The resulting signature is included in the X-Signature header of the webhook request. We use your API Key to generate the signature. You can find your API Key either:
  • On the MyXspend Portal, or
  • In the response header of the Login API request.

2.5 Sample Code to construct Signature for Validation

// Code Sample to generate signature header in Javascript
const crypto = require('crypto');

function createSigningHeader(queryString, apiKey) {
    // Create HMAC SHA-256 signature
    const hmac = crypto.createHmac('sha256', apiKey);
    hmac.update(queryString);
    const signatureBase64 = hmac.digest('base64');

    // Return header map
    return {
        'X-Signature': signatureBase64
    };
}

// Example usage:
const postBackUri = "https://mycallbackurl.com/myxspend?customerOrderId=123456&status=SUCCESSFUL&dateTime=2025-05-29&amount=18.0&currency=EUR";

const headers = createSigningHeader(postBackUri, 'YOUR_API_KEY');
console.log(headers);

// Code Sample to generate signature header in php
function createSigningHeader($queryString, $apiKey) {
    // Create HMAC SHA-256 signature
    $hmac = hash_hmac('sha256', $queryString, $apiKey, true);

    // Encode in Base64
    $signatureBase64 = base64_encode($hmac);

    // Return header array
    return [
        'X-Signature' => $signatureBase64
    ];
}

// Example usage:
$postBackUri = 'https://mycallbackurl.com/myxspend?customerOrderId=123456&status=SUCCESSFUL&dateTime=2025-05-29&amount=18.0&currency=EUR';

$headers = createSigningHeader($postBackUri, 'YOUR_API_KEY');
print_r($headers);