Webhook moncash successfull

When a transaction status changes, Bouspam automatically sends a POST request to your Webhook URL with the full details of the transaction. This is the most reliable way to confirm payments — no need to poll the API or wait for the customer to return to your site.

How it works

A customer completes (or fails) a payment
Bouspam sends a signed POST request to your Webhook URL
Your server verifies the signature
Your server processes the event (update order, send email, unlock access, etc.)
Your server returns 200 OK

//The request Bouspam sends you  
POST https://yoursite.com/webhooks/payment  (add yours)
Content-Type: application/json
X-Bouspam-Signature: sha256=<hex_signature>
X-Bouspam-Event: payment.updated

//json
{
  "event": "payment.updated",
  "version": "v1",
  "timestamp": "2025-03-14T21:30:00.123456+00:00",
  "data": {
    "transaction_id": "550e8400-e29b-41d4-a716-446655440000",
    "reference_id": "ORDER-001",
    "status": "completed",
    "amount": "2500.00",
    "fees": "156.25",
    "net_amount": "2343.75",
    "currency": "HTG",
    "payment_method": "moncash",
    "customer_name": "Jean Pierre",
    "customer_email": "[email protected]"
  }
}

Verifying the signature

Every request includes an X-Bouspam-Signature header. Always verify it before processing the event — this confirms the request genuinely came from Bouspam and was not tampered with.

Your webhook_secret (from the Dashboard) is used to compute and verify this signature.

The signature is computed as:

HMAC-SHA256(webhook_secret, raw_request_body)

The header value is prefixed with sha256=:

X-Bouspam-Signature: sha256=3d4f2bf07dc1be38b20cd8e46a1d58d4b72...

⚠️ Always use the raw request body to verify the signature — do not parse the JSON first.

example

nodejs

const crypto = require('crypto');

function verifyWebhook(secret, rawBody, signatureHeader) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(rawBody)        // rawBody must be a Buffer or string (not parsed JSON)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signatureHeader)
  );
}

// Express example:
app.post('/webhooks/payment', express.raw({ type: 'application/json' }), (req, res) => {
  const sig = req.headers['x-bouspam-signature'] || '';
  if (!verifyWebhook(process.env.WEBHOOK_SECRET, req.body, sig)) {
    return res.sendStatus(401);
  }
  const event = JSON.parse(req.body);
  // process event...
  res.sendStatus(200);
});

python

import hashlib
import hmac

def verify_webhook(secret: str, raw_body: bytes, signature_header: str) -> bool:
    expected = "sha256=" + hmac.new(
        secret.encode(),
        raw_body,
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, signature_header)

# In your view / handler:
raw_body = request.body  # raw bytes — do NOT parse JSON first
signature = request.headers.get("X-Bouspam-Signature", "")

if not verify_webhook(WEBHOOK_SECRET, raw_body, signature):
    return HttpResponse(status=401)

event = json.loads(raw_body)
# process event...

Previousverify transaction

Last updated 26 minutes ago

Good morning

hashtagexample

hashtagnodejs

hashtagpython

example

nodejs

python