HMAC both ways
You sign your API requests with X-SP-Signature. We sign our webhooks with X-SP-Signature. No route passes without cryptographic verification.
REST + HMAC + async retry
A REST API designed not to betray you in production
Clean JSON, HMAC SHA-256 signatures on input and output, first-class idempotency-key, exponential retry, and a stable event catalog. You write your integration once — it never breaks.
What you get
Required Idempotency-Key
On every critical mutation POST. A network replay or a double-click never creates a double charge — the same response is rendered deterministically.
Dedicated async retry
Merchant webhooks go into an isolated retry queue. 10 attempts, exponential backoff cap 30 min, DLQ for permanent failures — no blocking of the main flow.
35+ stable events
A centralized and versioned event catalog. Once published, an event chain doesn't change. Convention payment.succeeded, checkout.session.completed, payout.failed.
# Reçu :
# POST /votre-endpoint-webhook
# X-SP-Signature: sha256=<hex>
# X-Event-Type: payment.succeeded
# { ... payload JSON ... }
# 1. Recalculer le HMAC à partir du corps brut + secret merchant
expected=$(printf '%s' "$BODY" \
| openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" -hex \
| awk '{print "sha256=" $2}')
# 2. Comparaison constant-time (pas de strcmp naïf — timing-safe)
if [ "$expected" = "$X_SP_SIGNATURE" ]; then
echo "Signature OK — traiter $X_EVENT_TYPE"
else
echo "Signature invalide — rejeter 403"
fi
# Idempotence côté merchant : dédupliquer sur l'event_id du payload
# pour gérer les rejeux de retry sans double-effet.
HMAC
SHA-256 input and output
10×
Exponential retry cap 30 min
35+
Stable cataloged events
Integrate the API with confidence.
Full Swagger doc + Postman collection coming soon.