Webhook Confirmation

About Webhooks

For each payment request you send, you'll have to provide Aplazo with the URL where you want to receive webhook notifications.

As soon as the first installment is paid by the user, you'll receive a POST request with the following request body:

{
  "status": "Activo",
  "loanId": 155789,
  "cartId": "cart-123-abc",
  "merchantId": 1234
}

Fields

• status str

  • Activo: Indicates that the payment is active, meaning the user has paid the first installment and the loan is now outstanding.

• loanId int Identifier for the loan in Aplazo's system.

• cartId str The identifier you (the merchant) provided during the payment request, used to match the payment in your own system.

• merchantId int The Aplazo-assigned ID for your merchant account.

The field status you receive in the webhook is related to the status you get when you send a GET status api request.

Status in Webhook	GET loan status request
Activo	ACTIVE

Webhook Security

Aplazo provides several options to help you verify and secure incoming webhook requests, ensuring they originate from a trusted source and have not been tampered with. Here are two primary methods for adding an extra layer of protection.

IP Whitelisting

• Aplazo can share its static IP addresses for both sandbox and production environments.

• You can then configure your server to only accept requests from these IP addresses, preventing unauthorized systems from sending requests.

Security Token in the POST Header

• Aplazo can include an authentication token in the header of every webhook request.

• You can configure this token as either Basic or Bearer authentication.

• On your server, validate the incoming header against the token you expect. Requests without a valid token should be rejected with a 400.

These methods are optional.