Webhooks

Webhooks are used to receive events from Commbank relating to PayTo Agreements and Payment Initiations. To receive webhooks you must create a Callback API Endpoint so that we can deliver these events to you.

Webhooks provide real-time notifications about important events in your PayTo Agreements and Payments.

Events Overview

Agreement Events

Events related to PayTo Agreement lifecycle.

Payment Events

Events related to Payment Initiations.

Events are generated to notify you of asynchronous activities performed on your payments and PayTo Agreements.

PayTo Agreement Events

PayTo Agreement Event Sample

This is an example of a successful agreement activation event.

agreement_activated.json

{
  "id": "2a38567a-c7d4-4dd9-a5cd-e658565940ae",
  "eventName": "AGREEMENT_ACTIVATED",
  "apiVersion": "1",
  "createdDate": "2024-06-18T04:20:19.324Z",
  "data": {
    "agreementID": "0ca4bdc1-2d2a-11ef-b22d-a6034fd58c6f",
    "status": "activated",
    "statusReasonCode": "AC02",
    "statusReason": "customer simulated response",
    "initiator": "DEBTOR"
  }
}

PayTo Agreement Event Fields

Field	Description
`id`	The ID in UUIDv4 format for the Agreement that this notification relates to
`eventName`	The name of the event (refer to below table)
`apiVersion`	The version of the API you are using (currently 1)
`createdDate`	Timestamp of the event notification
`agreementID`	The ID in UUIDv4 format for the Agreement that this notification relates to
`statusReason`	Reason for the event notification
`status`	The status (refer to below table)
`statusReasonCode`	Code indicating the reason for the status change
`initiator`	The party that initiated the event that triggered this notification to be sent

PayTo Agreement Event Names and Statuses

This table shows all possible event names and their corresponding statuses for PayTo Agreements.

Event Name	Status	Description
AGREEMENT_CREATED	accepted	The request to create a PayTo Agreement has been accepted by Commbank
AGREEMENT_CREATION_FAILED	failed	The PayTo Agreement failed to be created check status reason code
AGREEMENT_FAILED	failed	The PayTo Agreement failed to be created check status reason code
AGREEMENT_PENDING	created	The PayTo Agreement has been created and is awaiting the customer to authorise the PayTo Agreement
AGREEMENT_ACTIVATED	activated	The PayTo Agreement has been authorised by the customer
AGREEMENT_SUSPENDED	suspended	The PayTo Agreement has been suspended by either you or the customer
AGREEMENT_CANCELLED	cancelled	The PayTo Agreement has been cancelled by either you or the customer

PayTo Agreement Payment Initiation Events

Payment Initiation Event Sample

{
  "id": "1c6fab4b-16d1-4b45-86ec-55e97942d506",
  "eventName": "PAYMENT_FAILED",
  "apiVersion": "1",
  "createdDate": "2024-06-18T04:10:46.417Z",
  "data": {
    "agreementID": "947034ff-2d28-11ef-b394-76613a8a3c20",
    "nppMandateId": "3f4cb5da0000000000000000e1d6a07d",
    "paymentId": "bc8b1cf0-2d28-11ef-ba83-0d09ed77cf23",
    "status": "failed",
    "amount": "100.00",
    "currency": "AUD",
    "initiator": "DEBTOR"
  }
}

Payment Initiation Event Fields

id the ID in UUIDv4 format for the Agreement that this notification relates to
eventName the name of the event (refer to below table)
apiVersion the version of the API you are using (currently 1)
createdDate: timestamp of the event notification
agreementID the ID in UUIDv4 format for the Agreement that this notification relates to
nppMandateId the ID of the PayTo Agreement as stored at NPP's MMS (Mandate Management Service)
paymentId the ID in UUIDv4 format for the Payment Initiation Request that this notification relates to
status the status (refer to below table)
amount the amount of the payment to 2 decimal places
currency always AUD
initiator The party that initiated the event that triggered this notification to be sent.

Payment Initiation Event Names and Statuses

This table shows all possible event names and their corresponding statuses for Payment Initiations.

Event Name	Status	Description
PAYMENT_IN_PROGRESS	payment_accepted	The PayTo Agreement Payment Initiation Request has been accepted by Commbank
PAYMENT_IN_PROGRESS	settlement_in_progress	The PayTo Agreement Payment Initiation Request is currently in progress
PAYMENT_SUCCEEDED	successful	The PayTo Agreement Payment Initiation Request has completed successfully. Funds have cleared and settled.
PAYMENT_FAILED	failed	The PayTo Agreement Payment Initiation Request has failed.

Status Reason Codes

These status reason codes are used to provide more detailed information about the status of an agreement or payment.

Status Reason Code	Status Reason
AC02	Invalid Debtor Account Number
AC04	Closed Account Number
AC05	Closed Debtor Account Number
AC06	Blocked Account
AC13	Invalid Debtor Account Type

PayTo Initiator Values

Code	Definition	Example
DEBTOR	Event was triggered by the Agreement's Debtor.	End customer amended the debtor details of the Agreement.
CREDITOR	Event was triggered by the Agreement's Creditor.	Merchant amended the terms of the Agreement.
SERVICE_PROVIDER	Event was triggered by the Agreement service provider.	Agreement COMPLETED due to a successful last payment.
THIRD_PARTY	Event was triggered by a Third Party such as a downstream payment provider.	NPP automatically cancelling a PayTo mandate on the final payment.

Create a Callback API Endpoint

Follow these steps to set up your Callback API Endpoint for receiving webhook events.

Step 1

Create a POST HTTPS endpoint to receive events.

Step 2

Provide custom headers like API Key you want Commbank to pass to you.

Step 3

Request your HMAC secret from Commbank.

Step 4

Provide your Callback API Endpoint URL to Commbank.

Step 5

Request Commbank NAT IPs to whitelist in your firewall if required.

Receiving Events

Events can be received by creating PayTo Agreements or PayTo Payment Initiations Requests using the supplied Postman collection (contact your Commbank Account Manager to obtain a copy of the Postman collection).

Prerequisites

Requirement	Description
Callback API Endpoint URL and IP Address	Provide your endpoint URL and IP address to Commbank
Custom Headers	Specify any custom headers you want Commbank to include
HMAC Secret	Receive your HMAC secret from Commbank for signature verification

Commbank will send events to you with the custom headers. You should ensure that your Callback API Endpoint is secured, authentication and data integrity are handled to allow POST to your Callback API Endpoint.

Validating an Event

Always validate webhook events to ensure they are authentic and have not been tampered with.

Commbank will sign events using an HMAC SHA-256 signature. To ensure data integrity, you should validate all events you receive by comparing the hash signature in the request header x-hmac-signature with the HMAC hash value you generate. To do this, you may want to use a common library for HMAC signature creation.

When generating the HMAC hash value, please create the signature using the following structure:

POST${consumer_url}${timestamp}${notification_payload}

We include a timestamp to enhance security, and you can use it to prevent replay attacks. You can retrieve the timestamp from the timestamp header. Please also use hex to generate the HMAC hash value.

Request Headers

Header	Description
`Content-Type`	Always `application/json`
`x-hmac-signature`	HMAC signature for verifying the payload integrity
`x-request-id`	Unique value in UUIDv4 format
Custom headers	Any additional headers you requested

Integration Guide

Follow this guide to properly integrate webhook events into your application.

Decrypting and Verifying HMAC Signature

HMAC Format

The data string format for generating the signature is: POST${consumer_url}${timestamp}${notification_payload}.

Receive the Webhook

Extract the x-hmac-signature header from the incoming request.
Extract the timestamp from the headers and payload from the request.

Generate Local HMAC

Use the same method to generate the HMAC signature locally using the received timestamp and payload.

Compare Signatures

Compare the received HMAC signature with the locally generated one using timingSafeEqual to prevent timing attacks.

Sample Code

Use this sample code to verify the HMAC signature of incoming webhook events.

verifyHmacSignature.js

const crypto = require('crypto')

async function verifyHmacSignature(headers, request, path) {
  const secretKey = 'hmac-secret' // Load this from a secure source like Secrets Managers
  const consumerUrl = `https://${headers['host']}${path}`
  const timestamp = headers['timestamp']
  const payload = request
  const localHash = crypto
    .createHmac('sha256', secretKey)
    .update(`POST${consumerUrl}${timestamp}${JSON.stringify(payload)}`)
    .digest('hex')
  const authorizationHeader = headers['x-hmac-signature']?.split(' ') || ''
  if (authorizationHeader.length !== 2) {
    throw new Error('Header authorization not valid')
  }
  const hashFromHeader = authorizationHeader[1]
  const hashMatch = crypto.timingSafeEqual(Buffer.from(hashFromHeader), Buffer.from(localHash))
  if (!hashMatch) {
    throw new Error('Invalid HMAC signature')
  }
  // Signature is valid, process the request
  console.log('HMAC Signature is valid')
}