It is a good idea to create an IPN listener page on your website and then specify the URL of the listener page in a "Settings → API" section. It is important to note that you should use only HTTPS URL. Cryptopay then sends a secure FORM POST containing payment information to the URL of all transaction-related events. The IPN listener detects and processes callbacks using your backend processes.

It is Highly recommended to validate callbacks before acting on it inside your system

The IPN listener page contains a custom script or program that waits for the messages, validates them with Cryptopay, and then passes them to various backend applications for processing.

Each callback request contains a X-Cryptopay-Signature header.

"X-Cryptopay-Signature": "ffef8e3a255bfa056a6f436b5ab39c0e4e7d193d4f02efe521d768a91fd87110"

This header contains the hex encoded SHA256 HMAC signature of the raw callback body, computed using your callback Secret as the key.

  1. You receive the callback

  2. You use SHA256 for hashing its body with your callback Secret

  3. You compare X-Cryptopay-Signature value to the hash you've got after hashing callback body

Every new callback request will have a new value of the X-Cryptopay-Signature header. Make sure you are comparing the hash with the right header.

Your callback Secret is available in the "Settings → API" section.

Cryptopay IPN server is expecting to get a 200 OK response code from you. If the response code is different to 200 OK, we will resend callbacks.