Webhooks & Events
Time: ~10 minutes | Difficulty: Beginner Use the TagadaPay Node SDK to register HTTPS endpoints for real-time notifications, verify deliveries cryptographically, and query the event log for debugging and analytics.What webhooks are (and why use them)
Webhooks are HTTP callbacks TagadaPay sends to your server when something happens on the platform — for example, a successful payment or a subscription change. Your endpoint receives a JSON payload so you can update your database, trigger fulfillment, notify internal tools, or sync with Zapier/n8n without polling the API.Webhooks run asynchronously after the triggering action. Design your handler to respond quickly (e.g. validate the signature, enqueue work, return
2xx). Heavy work should happen in a background job.Create a webhook
Register a URL and the event types you care about. The API returns the endpoint id, URL, signing secret, subscribed types, and whether the endpoint is enabled.The signing secret
Each webhook endpoint has a unique secret. TagadaPay uses it to compute an HMAC-SHA256 signature over the raw JSON body of each delivery. Your server must verify that signature before trusting the payload.Event type strings in
eventTypes must exactly match the names listed below (slash format like order/paid). The SDK validates event types at build time via TypeScript and at runtime — passing an invalid type will throw an error immediately.List webhooks
Delete a webhook
Available event types
All webhook event types use the slash format (category/event). These are the only valid values accepted by the eventTypes field.
Order events
Checkout events
Payment events
Subscription events
Funnel events
Club events
Security events
Events API (query & analytics)
Use the Events resource to audit activity, build dashboards, or debug webhook payloads.Recent events
Statistics
List with filters and pagination
appEvents.createdAt / appEvents.processedAt, customer.email, appEvents.draft, and free-text search.
Webhook subscriptions use slash-format names like
order/paid and subscription/created. The Events list API may return internal eventType strings (for example s_order_paid) — these are for internal analytics and should not be used when creating webhooks.Webhook signature verification (HMAC-SHA256)
TagadaPay signs the exact JSON string sent as the request body.- Read the raw body as a string (do not parse JSON before verifying).
- Compute
HMAC-SHA256(secret, rawBody)and hex-encode the digest. - Compare to the
X-TagadaPay-Signatureheader value after thesha256=prefix.
X-TagadaPay-Timestamp and User-Agent: TagadaPay-Webhooks/1.0. You can use the timestamp for optional replay protection.
SDK methods reference
Next steps
Node SDK Quick Start
Install the SDK, authenticate, and explore core resources
Sandbox Testing
Exercise payments and webhook-style flows without live processors
Merchant Quick Start
End-to-end store, funnel, and checkout setup
Subscriptions
Recurring billing and subscription lifecycle
