Callbacks

Methods for inspecting callbacks sent by B2BINPAY DeFi API for invoices and payouts

Get callbacks by operation ID

get

Retrieve a paginated list of callbacks for a specific operation ID

Authorizations
x-api-keystringRequired

Provide API key in X-API-Key header

Query parameters
operationIdstring · min: 1Required

ID of the operation to get callbacks for

Example: 97005662411689989
pageintegerOptional

Page number (starts from 1)

Default: 1
pageSizeinteger · max: 100Optional

Number of items per page (max 100)

Default: 10
Responses
chevron-right
200

Successfully retrieved callbacks

application/json
totalnumberRequired

Total number of items across all pages

pagenumberRequired

Current page number (starts from 1)

pageSizenumberRequired

Number of items per page

get
/api/v1/callbacks

Callback payload

Every callback body uses the same top-level structure:

id string · UUID

The unique callback identifier, in the UUID format.

type string

The callback type.

Invoice-related types:

  • INVOICE_CREATED: The invoice was created.

  • INVOICE_DEPOSIT_RECEIVED: An incoming deposit transaction was detected on the invoice address.

  • INVOICE_DEPOSIT_CONFIRMED: The incoming transaction has reached the required number of confirmations.

  • INVOICE_PAID: The paid amount is equal the requested amount and the invoice status changes to Paid* (for invoices with indicated amount).

  • INVOICE_UNRESOLVED: The paid amount is greater than the requested amount and the invoice status changes to Unresolved* (for invoices with indicated amount).

  • INVOICE_CLAIMED: Funds from the invoice address have been claimed to the account multisig wallet.

Payout-related types:

  • PAYOUT_CREATED: The payout was created.

  • PAYOUT_SENT: The payout transaction was sent to the blockchain.

  • PAYOUT_EXECUTED: The payout transaction was mined to a block and executed successfully.

  • PAYOUT_FAILED: The payout transaction failed in the blockchain.

operation_id string · UUID

The identifier of the original operation: invoiceId for invoice-related callback types, payoutId for payout-related callback types.

operation_type string

The original operation type: invoice or payout.

timestamp string

The date and time the callback was generated, in ISO 8601 format (UTC). Updated with each callback resend attempt.

data object

The callback-specific payload.

Always includes the original operation object (invoice or payout). May include transactions, claims, and other associated objects.

Below you can find examples of payloads for different callback types.

chevron-rightINVOICE_CREATEDhashtag
chevron-rightINVOICE_DEPOSIT_RECEIVEDhashtag
chevron-rightINVOICE_DEPOSIT_CONFIRMEDhashtag
chevron-rightINVOICE_PAIDhashtag
chevron-rightINVOICE_UNRESOLVEDhashtag
chevron-rightINVOICE_CLAIMEDhashtag
chevron-rightPAYOUT_CREATEDhashtag
chevron-rightPAYOUT_SENThashtag
chevron-rightPAYOUT_EXECUTEDhashtag
chevron-rightPAYOUT_FAILEDhashtag
chevron-rightPAYOUT_CANCELLEDhashtag

Callback verification

Each callback request is signed to confirm that it was sent by the B2BINPAY DeFi API and was not modified in transit.

The signature is provided in the X-CALLBACK-SIGNATURE HTTP header, that contains an HMAC-SHA256 hash of the raw JSON payload and your callback secret.

Verification steps

1

Read the raw request body

Capture the exact HTTP body bytes as received:

  • Do not re-serialize the JSON before verification.

  • Use JSON.stringify(payload) without custom replacers/spacing (no pretty print).

  • Ensure numbers and booleans stay as JSON primitives (do not stringify them).

  • Timestamps must be in the UTC ISO 8601 format, for example: 2025-08-22T10:10:00Z.

2

Read the signature header

Get the value of the X-CALLBACK-SIGNATURE header.

→ If the header is missing, reject the request (HTTP code 400).

3

Compute the expected signature

Use HMAC with SHA-256:

  • Key: callback_secret (UTF-8)

  • Message: raw request body bytes (UTF-8)

  • Output: hex string

4

Compare signatures

Compare the received signature with the computed one using a constant-time comparison.

5

Accept or reject

  • If signatures match → process the callback (HTTP code 200).

  • If they do not match → reject the request (HTTP code 401).

chevron-rightCallback processing examplehashtag

Last updated

Was this helpful?