> ## Documentation Index > Fetch the complete documentation index at: https://docs.v2.topup.com.co/llms.txt > Use this file to discover all available pages before exploring further. # Webhooks > Receive real-time updates about the status of transactions. # Webhooks The Webhook feature allows your system to receive real-time updates about the status of transactions. When a transaction status changes, Tumipay sends a POST request to the URL provided in the `ipn_url` field during the transaction creation. ## Webhook Payload The webhook payload is a JSON object containing the following information: ```json Webhook Payload theme={null} { "top_status": "APPROVED", "top_ticket": "49e3c70f-49d2-11ef-a534-02530a7dec0f", "top_reference": "ef3bc5cc-1a08-41c8-9e3b-449b95ac5eb6", "top_amount": 20000, "top_currency": "COP", "top_payment_method": "RECAUDO", "top_bank_name": "BANCO FALABELLA", "top_response_message": "Transacción exitosa", "top_user": { "legal_doc_type": "CC", "legal_doc": "879406421", "phone_code": "57", "phone_number": "3002134607", "email": "janejohnson@email.com", "full_name": "Jane Johnson" }, "top_card": { "bank": "BANCO FALABELLA", "bin": "531122", "country": "Colombia", "lastFourDigits": "1974", "type": "credit", "brand": "Mastercard" }, "top_user_email": "janejohnson@email.com", "top_user_phone": "3002134607", "top_extra_params1": "" } ``` ### Payload Properties The status of the transaction. Possible values: * `APPROVED`: The transaction was successfully completed * `REJECTED`: The transaction failed during the normal flow (e.g., declined by the bank) * `DECLINED`: The transaction was canceled due to internal rules, such as fraud detection, transactional limits, or merchant configurations * `PENDING`: The transaction is in progress and awaiting confirmation * `CREATED`: The transaction has been initiated but not yet processed * `EXPIRED`: The transaction has expired due to timeout Unique identifier of the transaction Reference identifier provided by the merchant for the transaction Total amount of the transaction Currency of the transaction (e.g., `COP`) The payment method used (e.g., `RECAUDO`) Name of the bank involved in the transaction Message describing the transaction's outcome Type of the customer legal document (e.g., `CC`) Customer legal document number Customer country phone code Customer phone number Customer email address Customer full name Customer email address (repeated for convenience) Customer phone number (repeated for convenience) Name of the issuing bank Bank Identification Number (first 6 digits of the card) Country of issuance Last four digits of the card number Card type (e.g., `credit`, `debit`) Card brand (e.g., `Visa`, `Mastercard`) Additional parameters ## Webhook Security The webhook request includes the following headers for validation: A signature generated based on certain values in the payload The user agent for the webhook is `Tumipay/1.1` ### Signature Generation Always validate the webhook signature to ensure that the request is legitimate and comes from Tumipay. The signature is generated using the SHA256 algorithm by hashing a JSON object that includes the customer token, the transaction ticket, and the transaction reference. ```json Signature Format theme={null} { "token": "", "ticket": "", "reference": "" } ``` ### Signature Verification Steps Create a JSON string with your client token and the received transaction details Generate a signature by hashing the JSON object with SHA256 Compare your generated signature with the one in the `x-trx-signature` header Only process the webhook if the signatures match ## Handling Webhook Events Your system should respond to webhook requests with a `200 OK` HTTP status code to confirm successful receipt. ### Retry Schedule If Tumipay does not receive a successful response, it will retry sending the webhook according to this schedule: 5 minutes after the initial attempt 15 minutes after the first retry 30 minutes after the second retry 1 hour after the third retry 2 hours after the fourth retry After these attempts, if no successful response is received, the webhook will be marked as failed and no further retries will be made. ### Example Use Case: Declined vs Rejected Indicates the transaction was canceled internally by merchant-specific rules, such as: * Fraud detection triggers * Exceeding transactional limits * Additional configurations made by the merchant Indicates the transaction was declined during the normal transaction process, such as: * Insufficient funds * Bank-specific rejections ### Example Use Case: Idempotent Processing To prevent processing the same webhook event multiple times, implement idempotency checks in your webhook handler. Store a record of processed transactions using their `top_ticket` or `top_reference` as a unique key When a webhook is received, check if the `top_ticket` already exists in your database If the transaction exists, skip processing to avoid duplicates. Otherwise, proceed with handling the event and store the record By following these practices, you can ensure a reliable and secure webhook implementation that effectively handles real-time transaction updates. ### Handling Common Response Messages When receiving webhooks, be prepared to handle these common response messages for transactions with "REJECTED" status: * "Esta cuenta está inactiva/bloqueada" - Account is inactive/blocked * "La cuenta o Nit no corresponden" - Account or tax ID do not match * "El número de cuenta no existe" - Account number does not exist * "El número de cuenta no es válido" - Account number is invalid * "Cuenta no autorizada" - Unauthorized account * "El Nit no es válido" - Invalid tax ID * "El producto de destino no existe" - Destination product does not exist * "Excede el tope saldo de la cuenta destino" - Exceeds destination account balance limit By following these practices, you can ensure a reliable and secure webhook implementation that effectively handles real-time transaction updates.