Handling The Callback
Verify and process APM webhook callbacks
1 min readUpdated Mar 26, 2026
After the customer completes (or fails) the payment, Exirom sends a server-to-server POST to your callbackUrl with the final transaction status.
#Processing Steps
- Verify the
X-Checksumheader — recompute the HMAC-SHA256 usingaccountId | orderAmount | orderCurrency | transactionIdand compare. Reject if it doesn't match. See Checksum Authentication. - Look up the transaction by
requestIdortransactionId - Update your system based on
transactionStatus - Return
200 OKpromptly — Exirom retries on non-2xx responses
Amount format: In callbacks,
amountis a numeric value (e.g.200.0), not a string. Use the exact callback value for checksum verification — do not reuse the original request amount.
#Callback Routing
Exirom appends query parameters to your callbackUrl so you can route before reading the body:
?paymentMethod=apm&apmType={METHOD}— APM callbacks?paymentMethod=card— card callbacks
Use apmType to select the correct parser — apmResponseData structure varies by APM.
For the full callback payload schema, see API Reference: GET /api/v1/payments/apm/info/{id}.
#Related
- Checksum Authentication — HMAC-SHA256 signing algorithm
- Webhook Best Practices — Retry handling, idempotency, security
- Webhook Callback & Transaction Lifecycle — Full webhook routing details
Was this helpful?