Callbacks and Webhooks

Configure merchant callbacks and webhook handling so payment lifecycle events are delivered reliably and verifiably.

Merchant webhook delivery headers

• x-lc-pay-signature — HMAC-SHA256 signature
• x-lc-pay-event-id — unique event id
• x-lc-pay-event-type — event type
• x-lc-pay-idempotency-key — dedupe key
• x-lc-pay-timestamp — signed timestamp

Signature verification

Message format for signature validation:

{timestamp}.{rawJsonPayload}

Retry and dead-letter lifecycle

• pending → delivered for successful attempts.
• pending/failed → failed when retry is scheduled.
• failed → dead_letter after max attempts/permanent 4xx.

Operational endpoints

• GET /api/cron/process-merchant-webhooks in Pay for scheduled delivery
• GET /api/admin/merchant-webhooks for counts and queue visibility
• POST /api/admin/merchant-webhooks to requeue specific events