What are Webhooks
Webhooks let NTX Pay send HTTPS notifications to your server whenever a relevant event happens — cash-in confirmation, cash-out failure, etc. — without you having to pollGET /api/transactions.
Available Events
| Event | When it fires |
|---|---|
cash_in | SPEI cash-in confirmed or OXXO cash-in paid at the register |
cash_out | SPEI cash-out settled |
refund_in | Received refund (one of your cash-outs was returned) |
refund_out | Sent refund (you refunded a cash-in) |
internal_transfer | Internal transfer between NTX Pay accounts |
Configuration
Endpoint:POST /api/webhooks-config. You provide:
url— HTTPS endpoint on your serverevents— array with 1 to 5 eventssecret— optional. If omitted, NTX Pay generates one automatically and returns it in the response.
Security — HMAC Signature
Every webhook is signed with HMAC-SHA256 using thesecret. Headers sent:
| Header | Content |
|---|---|
X-NTXPay-Signature | sha256=<hex-hmac> of the raw body |
X-NTXPay-Timestamp | Unix timestamp of the delivery |
X-NTXPay-Event | event name (cash_in, etc.) |
X-NTXPay-Delivery | unique delivery UUID (use for dedupe) |
Delivery Guarantees
- At-least-once: you may receive the same event more than once. Use
X-NTXPay-Deliveryto deduplicate. - Retries: up to 5 attempts in exponential backoff if you respond with a non-
2xxstatus. - Timeout: 10 seconds. Respond fast — process asynchronously if needed.
- Order: events may arrive out of order under error conditions. Check
createdAtin the payload.
Recommended Practices
- Respond
200immediately after validating the signature and queueing the event. - Deduplicate by
X-NTXPay-Deliveryortransaction.id. - Idempotency: process confirmed
cash_infor the sameexternalIdonly once. - Re-query
/api/transactionsif in doubt about state — the webhook is an optimization, not the source of truth. - HTTPS required — webhooks are only delivered to HTTPS URLs.
Next Steps
Webhook Setup
Configure the endpoint on your account
Implementation
HMAC validation examples in Node, Python and PHP