Bamboo notifies merchants asynchronously about the final status of a transaction or chargeback through Webhooks. The merchant must publish an HTTP/REST endpoint capable of receiving and validating these notifications.

Authentication and Signature

Each notification sent by Bamboo includes a digital signature in the request header.
The merchant must validate this signature to ensure the message’s authenticity and prevent tampering.

Property	Type	Description
Method	`POST`	All webhook notifications use the HTTP POST method.
Content-Type	`application/json`	The request body is formatted in JSON.
Authentication	Header signature	HMAC SHA-256 generated using the merchant’s private key.
Response	HTTP Status Code	`200 OK` confirms successful processing. Any other code triggers retries.

Signature validation example

var key = merchantSecretKey;
var receivedData = PurchaseId + Amount + Currency + utcNow; // dateSent header
var expectedSignature = CryptoJS.HmacSHA256(receivedData, key).toString(CryptoJS.enc.Hex);

if (expectedSignature === receivedSignature)
  console.log("Signature is valid");
else
  console.log("Invalid signature");

⚠️
Always validate the signature using your private key before processing any notification.

Retry Policy

If the merchant’s endpoint does not respond with HTTP 200 (OK), Bamboo automatically retries the webhook notification up to five times, with increasing intervals between each attempt.

Attempt	Delay after previous try
1st retry	15 minutes
2nd retry	30 minutes
3rd retry	1 hour
4th retry	3 hours
5th retry	6 hours

If all retries fail, the notification will stop being sent automatically. For additional retry attempts or to manually reprocess a webhook, contact Bamboo Support.

💡
Ensure your webhook endpoint returns HTTP 200 (OK) after successful processing to prevent duplicate notifications.

Webhook Types

Bamboo supports two webhook types, depending on the information required by the merchant system.

Transaction Webhook

Sends notifications about the final status of any transaction, including purchases and refunds.

Chargeback Webhook

Sends notifications when a chargeback is created or its status changes.