Webhooks are HTTP callbacks that RemitFlex sends to your server when something happens — a payment delivers, a conversion completes, or a compliance review is triggered. Instead of polling the API for status changes, you register an endpoint and RemitFlex pushes events to you in real time.
Register your webhook endpoint
Add your endpoint URL in the RemitFlex dashboard:
Open the Webhooks settings
Go to Dashboard → Settings → Webhooks and click Add endpoint.
Provide a publicly accessible HTTPS URL on your server (for example, https://api.yourapp.com/webhooks/remitflex). RemitFlex does not support plain HTTP endpoints.
Select the events to receive
Choose specific event types or select Receive all events to subscribe to everything.
Save and copy your webhook secret
After saving, RemitFlex displays a signing secret for this endpoint. Copy it now — you’ll use it to verify incoming request signatures. It is shown only once.
You can register multiple endpoints and subscribe different endpoints to different event subsets. This is useful for separating payment notifications from compliance alerts.
Supported event types
| Event | Triggered when |
|---|
payment.created | A new payment has been initiated |
payment.processing | The payment is actively being settled |
payment.settled | Funds have settled on-chain |
payment.delivered | Fiat has been deposited into the recipient’s account |
payment.failed | The payment could not be completed (includes failure_reason) |
payment.cancelled | The payment was cancelled before processing |
conversion.completed | A currency conversion has finished |
offramp.settled | The off-ramp bank transfer has been submitted |
offramp.delivered | Fiat delivery confirmed by the destination bank |
offramp.failed | The off-ramp could not be completed (includes failure_reason) |
compliance.review_required | A transaction has been flagged for manual compliance review |
Webhook payload structure
Every event RemitFlex sends has the same envelope structure:
{
"id": "evt_01HX9P5S3KVZWP9QJDB6CTYMX",
"type": "payment.delivered",
"created_at": "2024-01-15T14:30:00Z",
"data": {
"payment_id": "pmt_01HX4N3RKVZWP9QJDB6CTYMX8",
"status": "delivered",
"amount": 500,
"currency": "USDC",
"destination_currency": "EUR",
"converted_amount": 461.25,
"delivered_at": "2024-01-15T14:28:00Z"
}
}
| Field | Type | Description |
|---|
id | string | Unique event ID, prefixed evt_. Use this to deduplicate retried deliveries. |
type | string | The event type string (e.g., payment.delivered) |
created_at | string | ISO 8601 timestamp when the event was generated |
data | object | Event-specific payload; structure varies by type |
Verify webhook signatures
RemitFlex signs every webhook request with HMAC-SHA256 using your webhook secret. The signature is sent in the X-RemitFlex-Signature header:
X-RemitFlex-Signature: sha256=a3f9e2c1b8d047...
const crypto = require('crypto');
function verifyWebhook(payload, signature, secret) {
const expectedSig = crypto
.createHmac('sha256', secret)
.update(payload, 'utf8')
.digest('hex');
const expected = `sha256=${expectedSig}`;
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
// Express.js example
app.post('/webhooks/remitflex', express.raw({ type: 'application/json' }), (req, res) => {
const signature = req.headers['x-remitflex-signature'];
const isValid = verifyWebhook(req.body, signature, process.env.REMITFLEX_WEBHOOK_SECRET);
if (!isValid) {
return res.status(401).send('Invalid signature');
}
const event = JSON.parse(req.body);
// Handle event...
res.status(200).send('OK');
});
Compute the HMAC over the raw request body bytes, not the parsed JSON object. Any whitespace or key-ordering difference in the serialized form will produce a different hash and cause verification to fail.
Use timingSafeEqual (JavaScript) or hmac.compare_digest (Python) for the final comparison rather than === or ==. Constant-time comparison prevents timing attacks that could allow an attacker to guess your secret.
Retry policy
If your endpoint returns a non-2xx HTTP status code or fails to respond within 10 seconds, RemitFlex considers the delivery failed and retries automatically:
| Attempt | Delay after previous failure |
|---|
| 1st retry | 30 seconds |
| 2nd retry | 5 minutes |
| 3rd retry | 30 minutes |
| 4th retry | 2 hours |
| 5th retry | 8 hours |
Because retries mean the same event may arrive more than once, make your handler idempotent. Use the id field (e.g., evt_01HX9P5S...) to record which events you have already processed and skip duplicates.
Responding to webhooks
Your endpoint must return an HTTP 200 response to acknowledge receipt. RemitFlex treats any status outside the 2xx range as a failure and schedules a retry.
Keep your response fast. If you need to perform slow operations (database writes, downstream API calls), acknowledge the webhook immediately and process the payload asynchronously:
app.post('/webhooks/remitflex', express.raw({ type: 'application/json' }), async (req, res) => {
const signature = req.headers['x-remitflex-signature'];
if (!verifyWebhook(req.body, signature, process.env.REMITFLEX_WEBHOOK_SECRET)) {
return res.status(401).send('Invalid signature');
}
// Acknowledge immediately — before any async work
res.status(200).send('OK');
// Process asynchronously
const event = JSON.parse(req.body);
await processEvent(event);
});
