ForgePayforgepay.ai

Developer platform

Webhooks

Use signed webhook events to update your application after ForgePay payment state changes.

ForgePay is not a bank. ForgeCredit is an internal settlement unit for services available in the ForgePay ecosystem.

Configure an endpoint

Open Dashboard > Merchant API and add an HTTPS webhook URL. ForgePay shows the signing secret once. Store it securely and use it to verify every webhook event.

Signature verification

ForgePay signs webhooks with HMAC-SHA256 over `{timestamp}.{rawBody}`. Verify the signature with a timing-safe comparison before parsing business data.

JavaScriptjavascript
import crypto from "node:crypto";

function verifyForgePayWebhook({ rawBody, timestamp, signature, secret }) {
  const payload = `${timestamp}.${rawBody}`;
  const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");

  return crypto.timingSafeEqual(
    Buffer.from(signature, "hex"),
    Buffer.from(expected, "hex")
  );
}

Webhook event example

Common events include `checkout.session.created`, `checkout.session.paid`, `checkout.session.cancelled`, `subscription.activated`, `subscription.charge.succeeded`, `subscription.charge.failed` and `subscription.cancelled`.

JSONjson
{
  "id": "evt_cuid_example",
  "object": "event",
  "type": "checkout.session.paid",
  "created_at": "2026-06-03T12:05:00.000Z",
  "data": {
    "object": {
      "id": "checkout_cuid_example",
      "object": "checkout_session",
      "merchant_id": "merchant_cuid_example",
      "mode": "test",
      "status": "paid",
      "currency": "FGC",
      "amount_minor": "25000",
      "amount_fgc": "250",
      "customer_reference": "customer_42",
      "external_reference": null,
      "description": "AI writing package",
      "created_at": "2026-06-03T12:00:00.000Z",
      "updated_at": "2026-06-03T12:05:00.000Z"
    }
  }
}