Event Notification

Global Collections is an event-driven service. Many operations complete asynchronously — virtual account approval, incoming funds, payout results, refund and sub-merchant status changes are all delivered to the Merchant as webhooks.

This page explains how to configure and verify webhooks. The payload of each event type is documented in its own webhook page (linked below).

Configuration

Configure webhooks on the Merchant Portal under the Global Collections service menu.

Parameters description

• URL: The endpoint on the Merchant system that receives webhook POST requests.

• Secret key: Used to verify the secureHash of each payload.

• Authorization type: No Auth or Basic Auth.

• Type: The event type(s) this URL subscribes to — see the catalogue below.

A Merchant may register multiple URLs, each subscribing to a different set of event types.

Delivery

• NeoX sends an HTTP POST request to the configured URL whenever a subscribed event occurs.

• The request body is application/json.

• The Merchant endpoint must respond with HTTP 200 to acknowledge receipt.

• If the endpoint does not acknowledge, NeoX retries the delivery with a backoff schedule. Webhook handlers must therefore be idempotent — the same event may be delivered more than once. De-duplicate on the event's primary identifier (e.g. requestId, transId, collectionOrderId).

Verifying secureHash

Every webhook payload includes a secureHash field. To verify it:

1. Take all payload fields except secureHash (and except optional fields, where the webhook page says so).

2. Sort the keys in alphabetical order and concatenate their values.

3. Append the Secret Key configured on the Merchant Portal.

4. Compute the SHA256 hash and Base64-encode it.

5. Compare the result with the received secureHash. Reject the payload if they differ.

Event catalogue