Payload and verification
This page documents the JSON body Kollect POSTs to your webhookUrl and how to verify X-Kollect-Signature.
HTTP request
Method
POST
Content-Type
application/json
Signature header
X-Kollect-Signature (lowercase hex)
Payload fields
paymentId
string
UUID of the Kollect payment (id).
paymentReference
string
Smart Contract payment reference.
invoiceId
string
Invoice document id (string form of Mongo _id).
invoiceNumber
string
Human-readable invoice number.
status
string
Payment status after update (e.g. success, failed).
event
string
Upstream event: payment.confirmed or payment.failed.
transactionHash
string | null
On-chain transaction hash when applicable; null on some failure paths.
amount
string
Amount stored on the payment record (string).
currency
string
Payment currency (e.g. USDC-mainnet).
interface
string
Integration surface (e.g. kollect-server).
timestamp
string
ISO 8601 timestamp when the payload was constructed.
Example payload
Signature algorithm
Kollect computes:
The HMAC key is your signingSecret. The message is the JSON string of the payload object as produced by Kollect’s serializer for that request.
Verification strategies
Preferred: Read the raw request body bytes as received on the socket, compute HMAC over those bytes, and compare to
X-Kollect-Signature. This avoids JSON normalization differences.Alternative: Parse JSON, then
JSON.stringifywith a serializer that matches Kollect’s output. This is fragile if key order or spacing differs; prefer raw bytes.
Comparison
Use constant-time comparison (e.g. crypto.timingSafeEqual on equal-length buffers in Node.js) to reduce timing side channels.
Node.js example
Idempotent processing
The same payment might generate multiple operational logs; your handler should upsert order state by paymentId (or invoiceNumber + your internal id) and ignore duplicate notifications if already processed.
Last updated
Was this helpful?