Paymentgate sends signed HTTPS POST events the moment anything changes — payment.succeeded, subscription.renewed, dispute.opened, and 40+ more. With guaranteed delivery, automatic retries, and a built-in test console, your integrations stay in sync.
Built into
Subscribe to exactly the events you care about. Every event ships with a full payload — no additional API calls needed.
Paymentgate persists every event in a durable queue before sending it to your endpoint. If your server is down, overloaded, or returns a non-2xx response, we retry automatically for up to 72 hours using exponential back-off.
Durable event queue
Events are written to persistent storage before dispatch — never dropped in memory.
Automatic retries with back-off
Intervals: 5 s → 30 s → 2 min → 10 min → 30 min → 1 h → 2 h → 6 h → 12 h → 24 h
Idempotency IDs
Every event carries a unique event_id. Store it to deduplicate at-least-once retries safely.
Failure alerts
Receive email and Slack alerts when your endpoint starts failing — before the retry window closes.
Abandoned events are stored for 30 days. You can re-deliver them manually from the dashboard.
Each request carries a Paymentgate-Signature header containing a HMAC-SHA256 digest of the raw request body, signed with your endpoint's secret. Recompute it server-side before processing any event — reject anything that doesn't match.
Incoming request headers
Security tip: Always verify the signature on the raw request body before parsing JSON. Parsing first and re-serialising can alter byte order and produce a different digest. Use hmac.compare_digest (Python) or timingSafeEqual (Node.js) to prevent timing attacks.
Everything teams need to build reliable, maintainable event-driven integrations.
Subscribe per endpoint to exactly the event types you need. Separate fraud alerts from billing events by routing to different services.
Trigger any event type with synthetic test payloads directly from the dashboard. No real money moves — inspect request/response in the delivery log.
Register up to 25 webhook endpoints per account. Route billing events to your billing service, fraud alerts to your SIEM, and disputes to your CRM.
Browse the full history of every event with request body, response code, latency, and delivery attempt timeline. Re-deliver any event in one click.
All Paymentgate webhook requests originate from a published, stable CIDR range. Add it to your firewall to guarantee only Paymentgate can call your endpoint.
Receive email or Slack alerts when an endpoint failure rate exceeds a configurable threshold, before the retry window closes and events are abandoned.
"The signature verification example in the docs works first try — no surprises. We migrated from a competitor whose webhook delivery was flaky. Paymentgate's retry logic recovered 340 events during a 2-hour outage we had last quarter. Zero revenue impact."
"Event filtering is the feature we didn't know we needed. We route payment.succeeded to our fulfilment service, dispute.opened to the ops team, and fraud.flagged straight to our SIEM — all from one account. Clean separation without a message broker."
"The 30-day event log saved us during a bug investigation. We were able to replay specific payment.succeeded events from 3 weeks back and pinpoint exactly where our order service dropped the ball. Re-delivery from the dashboard fixed 47 affected orders in minutes."
Return any 2xx status code (200, 201, 202, 204) to acknowledge receipt. Any non-2xx response — including 3xx redirects — is treated as a failure and triggers the retry schedule. Respond within 30 seconds; requests that time out are also retried.
Yes — Paymentgate operates at-least-once delivery. If your endpoint is slow, timeouts or a transient network error may cause the event to be retried even if your handler already processed it. Always persist the Paymentgate-Event-Id header and deduplicate before taking business actions.
Use the Test Console in the Paymentgate dashboard to fire synthetic events at any registered endpoint — including localhost via our CLI tunnel. Alternatively, use the Paymentgate CLI: pg webhook listen --forward-to localhost:3000/webhooks to proxy live test events to your machine.
Delivery order is best-effort. Under normal conditions events arrive in the order they occurred, but retries and parallel delivery can cause out-of-order arrival. Always use the created_at timestamp inside the event payload rather than arrival order to sequence state transitions.
From the dashboard, generate a new secret — Paymentgate enters a 24-hour grace period during which both the old and new secrets are accepted. Deploy your updated handler before the grace period ends, then revoke the old secret. Zero-downtime rotation with no dropped events.
Register your first webhook endpoint, verify the signature, and go live — no approval needed.
Available on all plans · Up to 25 endpoints · 30-day event history