Bamboo notifies merchants asynchronously about the final status of a transaction or chargeback through Webhooks. The merchant must publish an HTTP/REST endpoint capable of receiving and validating these notifications.
Authentication and Signature
Each notification sent by Bamboo includes a digital signature in the request header.
The merchant must validate this signature to ensure the message’s authenticity and prevent tampering.
| Property | Type | Description |
|---|---|---|
| Method | POST | All webhook notifications use the HTTP POST method. |
| Content-Type | application/json | The request body is formatted in JSON. |
| Authentication | Header signature | HMAC SHA-256 generated using the merchant’s private key. |
| Response | HTTP Status Code | 200 OK confirms successful processing. Any other code triggers retries. |
Signature validation example
var key = merchantSecretKey;
var receivedData = PurchaseId + Amount + Currency + utcNow; // dateSent header
var expectedSignature = CryptoJS.HmacSHA256(receivedData, key).toString(CryptoJS.enc.Hex);
if (expectedSignature === receivedSignature)
console.log("Signature is valid");
else
console.log("Invalid signature");Always validate the signature using your private key before processing any notification.
Retry Policy
If the merchant’s endpoint does not respond with HTTP 200 (OK), Bamboo automatically retries the webhook notification up to five times, with increasing intervals between each attempt.
| Attempt | Delay after previous try |
|---|---|
| 1st retry | 15 minutes |
| 2nd retry | 30 minutes |
| 3rd retry | 1 hour |
| 4th retry | 3 hours |
| 5th retry | 6 hours |
If all retries fail, the notification will stop being sent automatically. For additional retry attempts or to manually reprocess a webhook, contact Bamboo Support.
Ensure your webhook endpoint returns HTTP 200 (OK) after successful processing to prevent duplicate notifications.
Webhook Types
Bamboo supports two webhook types, depending on the information required by the merchant system.