Callback

QuickPay offers a callback service that will notify your system when you create, change or delete a resource. This is useful e.g. when you want to mark an order as paid, update your shops inventory and so on.

The callback service is asynchronous and as such will not interfer with or prolong the processing time of the API request generating a callback - eg. the time your customer will have to wait for payment confirmation.

In the event that your system is not able to receive or correctly process the callback, the callback service will try to deliver its message up to 24 times, with gradually increasing delays between each try.

Important! Currently only payment and subscription operations (authorize, capture etc.) will trigger a callback.

How it works

When you create, change or delete a resource a HTTP POST request is send to the callback URL defined in your Account settings.

A callback URL can also be specified in each operation request to the API with the header QuickPay-Callback-Url, or in each request to the Payment Window with the field callbackurl.

Request headers

The request headers contains some important information.

Header Description
QuickPay-Resource-Type The type of resource that was created, changed or deleted
QuickPay-Account-ID The account id of the resource owner - useful if receiving callbacks for several systems on the same url
QuickPay-API-Version API version of the callback-generating request
QuickPay-Checksum-Sha256 Checksum of the entire raw callback request body - using HMAC with SHA256 as the cryptographic hash function. The checksum is signed using the Account's private key. We strongly recommend that you validate the checksum to ensure that the request is authentic.

Request body

The request body contains the resource as it exists after the change - ie. it is equivalent to GET /<resource>/<identifier>.

Response

We expect a response http status code of 2xx, 302 or 303 to the callback. Otherwise the callback is failed and will be retried after an hour. When http status in the response is 301 or 307 we redirect the callback to the url in the Location header.

Order of callbacks

The callbacks are asynchronous and can be delivered in any order. However, callbacks on the same resource are guaranteed to be delivered in the same order the operations (create, change or delete) happen. E.g. callbacks for authorize and capture on the same Payment will always be delivered in that order, but two callbacks on different Payments will come in any order.

Request example

This example shows a callback generated when authorizing a payment:

POST /callback HTTP/1.1
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: */*
User-Agent: Ruby
Content-Type: application/json
QuickPay-Checksum-Sha256: e96f696596c38df228901a6f69f995ad1e917d7b64025f1f0e997a1080b2a35d
QuickPay-Resource-Type: Payment
QuickPay-Account-ID: 7
QuickPay-API-Version: v10
Connection: close
Host: merchant.com
Content-Length: 593

{
  "id": 7,
  "order_id": "Order7",
  "accepted": true,
  "test_mode": true,
  "branding_id": null,
  "variables": {},
  "acquirer": "nets",
  "operations": [
    {
      "id": 1,
      "type": "authorize",
      "amount": 123,
      "pending": false,
      "qp_status_code": "20000",
      "qp_status_msg": "Approved",
      "aq_status_code": "000",
      "aq_status_msg": "Approved",
      "data": {},
      "created_at": "2015-03-05T10:06:18+00:00"
    }
  ],
  "metadata": {
    "type": "card",
    "brand": "quickpay-test-card",
    "last4": "0008",
    "exp_month": 8,
    "exp_year": 2019,
    "country": "DNK",
    "is_3d_secure": false,
    "customer_ip": "195.41.47.54",
    "customer_country": "DK"
  },
  "created_at": "2015-03-05T10:06:18Z",
  "balance": 0,
  "currency": "DKK"
}

Checksum validation examples

These examples show how you can authenticate the callback request sent to your server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
require 'openssl'

def sign(base, private_key)
  OpenSSL::HMAC.hexdigest('sha256', private_key, base)
end

# Assuming that you are using Rack - https://github.com/rack/rack
request_body = env["rack.input"].read
checksum     = sign(request_body, "your_account_private_key")

if checksum == env["HTTP_QUICKPAY_CHECKSUM_SHA256"]
  # Request is authenticated
else
  # Request is NOT authenticated
end
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
function sign($base, $private_key) {
  return hash_hmac("sha256", $base, $private_key);
}

$request_body = file_get_contents("php://input");
$checksum     = sign($request_body, "your_account_private_key");

if ($checksum == $_SERVER["HTTP_QUICKPAY_CHECKSUM_SHA256"]) {
  // Request is authenticated
} else {
  // Request is NOT authenticated
}

?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import hashlib, hmac, sys
PY3 = sys.version_info[0] >= 3

def sign(base, private_key):
  if PY3:
    return hmac.new(
      bytes(private_key, "utf-8"),
      bytes(base, "utf-8"),
      hashlib.sha256
    ).hexdigest()
  else:
    return hmac.new(private_key, base, hashlib.sha256).hexdigest()

# Assuming that you are using Werkzeug - http://werkzeug.pocoo.org/
request_body = environ['wsgi.input'].read()
checksum     = sign(request_body, "your_account_private_key")

if checksum == environ['HTTP_QUICKPAY_CHECKSUM_SHA256']:
  # Request is authenticated
else:
  # Request is Not authenticated
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
string checkSum = Request.Headers["QuickPay-Checksum-Sha256"];

var bytes = new byte[Request.InputStream.Length];
Request.InputStream.Read(bytes, 0, bytes.Length);
Request.InputStream.Position = 0;
string content = Encoding.UTF8.GetString(bytes);

string compute = sign(content, "your_account_private_key");

if (checkSum.Equals(compute))
{
  // Request is authenticated
}
else
{
  // Request is NOT authenticated
}

private string sign(string base, string api_key) {
  var e = Encoding.UTF8;

  var hmac = new HMACSHA256(e.GetBytes(api_key));
  byte[] b = hmac.ComputeHash(e.GetBytes(base));

  var s = new StringBuilder();
  for (int i = 0; i < b.Length; i++)
  {
    s.Append(b[i].ToString("x2"));
  }

  return s.ToString();
}