Money In Operation — This webhook fires when a customer completes a Virtual Account payment, transferring funds into your SingaPay account.
Information
| Method | Path | Format | Authentication |
|---|---|---|---|
| POST | https://your-webhook-url/callback | json | HMAC SHA512 Signature |
POST request to your configured transaction_notif_url when a Virtual Account transaction is successfully processed.
This webhook may share a callback URL with other event types. See Shared webhook endpoints for routing by
event value.Request Details
Headers
| Field | Value | Type | Mandatory | Description |
|---|---|---|---|---|
Content-Type | application/json | Alphabetic | Yes | Specifies JSON format for the request body |
User-Agent | SingaPaymentGateway/1.0 | Alphabetic | Yes | Identifies the source of the webhook |
Accept | application/json | Alphabetic | Yes | Expected response format |
X-PARTNER-ID | — | Alphanumeric | Yes | Your API Key from the merchant dashboard |
X-Signature | — | Alphanumeric | Yes | HMAC SHA512 signature (128 chars) for request verification |
X-Timestamp | — | Numeric | Yes | Unix timestamp in seconds when the request was sent |
Authorization | Bearer <random_token> | Alphanumeric | Yes | System-generated random bearer token; used as a component in the signature |
The
Authorization token for VA webhooks is a randomly generated string — not a user access token. This is because the webhook is triggered by a bank payment notification (system event), not a user action. Extract it as-is from the header and use it in the string to sign. See How to Validate Signature below.Body Parameters
HTTP Status Code. Example:
200Indicates if the transaction was successful. Example:
trueEvent type identifier. Always
"va-transaction" for this webhook.Event timestamp in format
"d M Y H:i:s". Example: "26 Dec 2025 13:35:45"Container for transaction and payment details.
Payload Example
Success
Security and responses
Return HTTP200 promptly after validating the request. For retry behavior, see Webhook retry mechanism.
Verify every webhook using Security and signature validation. Use your configured callback path when building StringToSign.
Handle duplicate deliveries idempotently using stable identifiers from the payload (for example transaction_id or reff_no).