We use cookies to optimize your user experience. All information shared with us through cookies is secure and covered by our data privacy obligations. To learn more, view our privacy policy.
KongaPay Logo
KongaPayDevelopers
v1.0
DevelopersVirtual AccountCallbacks (Webhooks)

Callbacks (Webhooks)

After a payment is processed on a virtual account, KongaPay sends an automatic POST notification to your callback URL.

This is the primary and recommended mechanism for confirming payments. Build your integration around callbacks and use status polling only as a fallback.

Callback URL Priority

KongaPay resolves the callback URL in the following order:

PrioritySourceWhen Used
1Integration config URLFor static and static-flex accounts โ€” uses the URL set in your integration settings.
2Default integration URLFallback if no specific config URL is set.
3Per-VA callback_urlThe URL passed in the request body when creating a nonstatic virtual account.

Callback Payload

POST payload
{
  "status":     "success",
  "session_id": "090405261234567890",
  "reference":  "INV-2026-0001",
  "amount":     5000,
  "date":       "2026-03-06 14:23:11"
}

Payload Fields

FieldDescription
statusPayment outcome. Only process if "success".
session_idNIP session ID. Use as a deduplication key โ€” reject duplicate callbacks for the same session.
referenceYour external_reference โ€” link this to your internal order or record.
amountConfirmed transaction amount in Naira.
dateTimestamp of the payment in YYYY-MM-DD HH:MM:SS format.

Handling Callbacks

๐Ÿ”

Validate the incoming payload

Verify the signature header to confirm the request originated from KongaPay.

โœ…

Check the status field

Only process a payment if status is "success".

๐Ÿ”—

Match on external_reference

Use this to link the payment to your internal order or record.

๐Ÿ”„

Use session_id as a deduplication key

Reject duplicate callbacks for the same session.

๐Ÿ“ก

Respond with HTTP 200

Return a 200 status code promptly. KongaPay will retry failed callbacks.

โš ๏ธ
Never fulfil an order or release a service based on an unvalidated callback. Always verify the signature before acting on the payload.

Callback Handler Example

Node.js / Express
app.post('/webhook', express.json(), (req, res) => {
  // 1. Validate signature
  const signature = req.headers['x-kongapay-signature'];
  if (!isValidSignature(signature, req.body)) {
    return res.status(401).send('Invalid signature');
  }

  const { status, session_id, reference, amount } = req.body;

  // 2. Only process successes
  if (status !== 'success') return res.sendStatus(200);

  // 3. Deduplicate
  if (await db.sessionExists(session_id)) return res.sendStatus(200);

  // 4. Reconcile
  await db.markOrderPaid(reference, { amount, session_id });

  // 5. Respond 200 promptly
  res.sendStatus(200);
});