Skip to main content
Money In Operation — This webhook fires when a customer completes a QRIS payment, transferring funds into your SingaPay account.

Information

MethodPathFormatAuthentication
POSThttps://your-webhook-url/callbackjsonHMAC SHA512 Signature
SingaPay sends a POST request to your configured transaction_notif_url when a QRIS transaction is successfully processed.
This webhook may share a callback URL with other event types. See Shared webhook endpoints for routing by event value.

Request Details

Headers

FieldValueTypeMandatoryDescription
Content-Typeapplication/jsonAlphabeticYesSpecifies JSON format for the request body
User-AgentSingaPaymentGateway/1.0AlphabeticYesIdentifies the source of the webhook
Acceptapplication/jsonAlphabeticYesExpected response format
X-PARTNER-IDAlphanumericYesYour API Key from the merchant dashboard
X-SignatureAlphanumericYesHMAC SHA512 signature (128 chars) for request verification
X-TimestampNumericYesUnix timestamp in seconds when the request was sent
AuthorizationBearer <random_token>AlphanumericYesSystem-generated random bearer token; used as a component in the signature
The Authorization token for QRIS webhooks is a randomly generated string — not a user access token. This webhook is triggered by a bank payment notification (system event), not a user action. Extract the token as-is from the header and use it in the string to sign. See How to Validate Signature below.

Body Parameters

status
number
required
HTTP Status Code. Example: 200
success
boolean
required
Indicates if the transaction was successful. Example: true
event
string
required
Event type identifier. Always "qris-acquirer-transaction" for this webhook.
timestamp
string
required
Event timestamp in format "d M Y H:i:s". Example: "26 Dec 2025 13:31:59"
data
object
required
Container for transaction, customer, and payment details.

Payload Example

Success
{
  "status": 200,
  "success": true,
  "event": "qris-acquirer-transaction",
  "timestamp": "26 Dec 2025 13:31:59",
  "data": {
    "transaction": {
      "id": 42,
      "reff_no": "6601K62BH34X445J046C4W5249E6",
      "merchant_reff_no": "INV-2026-001",
      "type": "qris",
      "status": "paid",
      "amount": {
        "value": 1000123,
        "currency": "IDR"
      },
      "tip": {
        "value": 0,
        "currency": "IDR"
      },
      "total_amount": {
        "value": 1000123,
        "currency": "IDR"
      },
      "post_timestamp": "26 Dec 2025 13:31:59",
      "processed_timestamp": "26 Dec 2025 13:31:59"
    },
    "customer": {
      "id": "01K2KVRQQP45234X9T3YWG1FKT",
      "name": "Moh. Zulkifli Katili",
      "email": "tes@gmail.com",
      "phone": "08123993201"
    },
    "payment": {
      "method": "qris",
      "additional_info": {
        "qr_string": "00020101021226570015ID.SINGAPAY.WWW01110508140001102122183098102390303UMI51440014ID.CO.QRIS.WWW02157434441747371980303UMI520472315303360540710001235802ID5916PT TARSIUS TAHIR6009Tangerang6105544786253051017588683110703C0108286601K62BH34X445J046C4W5249E663045FC6",
        "payment_event_id": 12345
      }
    }
  }
}


Security and responses

Return HTTP 200 promptly after validating the request. For retry behavior, see Webhook retry mechanism. Verify every webhook using Security and signature validation. Use your configured callback path when building StringToSign. Handle duplicate deliveries idempotently using stable identifiers from the payload (for example transaction_id or reff_no).