Payblis provides three types of callbacks:
- Success URL (urlOK): Customer redirection after successful payment
- Failure URL (urlKO): Customer redirection after failed payment
- IPN URL (ipnURL): Server-to-server notification
IPN Security
All IPN notifications are signed with HMAC-SHA256. Verify the signature in the X-Payblis-Signature header.
// Get the signature from the header
$signature = $_SERVER['HTTP_X_PAYBLIS_SIGNATURE'] ?? '';
// Get the raw POST data
$payload = file_get_contents('php://input');
// Calculate the expected signature
$expectedSignature = hash_hmac('sha256', $payload, $your_secret_key);
// Compare signatures
if (!hash_equals($expectedSignature, $signature)) {
http_response_code(400);
die('Invalid signature');
}
// Process the IPN data
$data = json_decode($payload, true);
IPN Example
{
"event": "payment.success",
"merchant_reference": "Order-xxxxxxx",
"transaction_id": "PAYBxxxxxxx",
"amount": "14.17",
"status": "SUCCESS",
"payment_details": {
"card_brand": "VISA",
"card_last4": "6624",
"authorization_code": "000000",
"transaction_date": "2025-05-07 03:53:04",
"threeds": {
"status": "Y",
"warranty": true,
"warranty_details": "100% liability transfer to the bank of the holder"
},
"arn": "123456",
"archive": "OEIT51WRIWOV"
}
}
{
"event": "payment.failed",
"merchant_reference": "1098",
"transaction_id": "PAYB-FAILED-6818766989175",
"amount": "10",
"status": "FAILED",
"payment_details": {
"failure_reason": "Card validation failed"
}
}
