Set-up
Last updated
Was this helpful?
Last updated
Was this helpful?
Identify the events to monitor
Create a webhook endpoint function
Register and manage your webhook in PaySG
Secure your webhooks
Use the PaySG API reference to identify the PaySG events and the your webhook endpoint service needs to parse.
To set up a webhook endpoint function that can accept webhook requests with a POST method, you can follow these steps:
Create an HTTPS endpoint function that can handle POST requests with a JSON payload consisting of an . Webhooks will only be supported for HTTPS endpoints.
Ensure that your endpoint function quickly returns a successful status code (2xx) prior to any complex logic that could cause a timeout. For example, you must return a 2xx response before updating your internal system records.
After testing your webhook endpoint function, you can register the endpoint's accessible URL. Please add team@pay.gov.sg as an to the payment service, and share the webhook endpoint(s) with us via . The webhook endpoint(s) must be publicly accessible HTTPS URLs.
The URL format to register a webhook endpoint is:
For example, if your domain is https://agency-eservice.com
and the route to your webhook endpoint is @app.route('/paysg_webhooks', methods=['POST'])
, specify https://agency-eservice.com/paysg_webhooks
as the endpoint URL.
To add, update or delete existing webhook endpoints, contact the PaySG team to do it for you.
PaySG recommends that you verify authenticity of webhooks via signature validation. However, if your system requires IP whitelisting, you can use the following IP addresses.
Staging (https://staging.pay.gov.sg) 13.215.25.150 13.213.93.248
Production (https://pay.gov.sg) 3.1.60.243 13.229.175.148 13.214.75.139
PaySG will inform you at least 1 month in advance of any changes to these IPs.
After confirming that your webhook endpoint connection works as expected, secure the connection by implementing .
One especially important best practice is to use webhook signatures to verify that PaySG generated a webhook request and that it did not come from a server acting like PaySG. The steps to validate PaySG's webhook signature can be found under . PaySG does not support further customisation to verify specific values from your team.