Skip to main content
Polling the Shogun API to detect new payments and transfers is slow and wastes quota. Webhooks solve this: you register an HTTPS endpoint once, and Shogun delivers a signed HTTP POST to your server within seconds of every matching event. This page shows you how to register that endpoint, which events you can subscribe to, and how to verify that every delivery is genuinely from Shogun.

Endpoint

POST https://baasapi.payrepmfb.com/api/v1/customer/api/create_webhook
Authentication: Authorization: Bearer <token> — obtain a token from Generate Token.

Request parameters

url
string
required
The fully-qualified HTTPS URL where Shogun will POST event payloads. Must use https://. Shogun will reject plain http:// endpoints.Example: https://yourapp.com/webhooks/shogun
events
array of strings
The event types you want to receive. Omit to receive all events, or specify one or more of:
ValueTriggered when
COLLECTION_SUCCESSA payment is received on one of your virtual or current accounts
TRANSFER_SUCCESSAn outbound transfer completes successfully
TRANSFER_FAILEDAn outbound transfer is rejected or times out
ip_whitelist
array of strings
Optional. A list of IP addresses from which Shogun should accept webhook delivery acknowledgements. Leave empty to allow any source.

Example request

curl -X POST https://baasapi.payrepmfb.com/api/v1/customer/api/create_webhook \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://yourapp.com/webhooks/shogun",
    "events": ["COLLECTION_SUCCESS", "TRANSFER_SUCCESS", "TRANSFER_FAILED"]
  }'

Response

201 Created

status
boolean
true on success.
response_code
string
"00" on success.
message
string
Human-readable result message.
data
object
The created webhook configuration.
{
  "status": true,
  "response_code": "00",
  "message": "Webhook created successfully",
  "data": {
    "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "url": "https://yourapp.com/webhooks/shogun",
    "ip_whitelist": [],
    "created_at": "2026-04-28T09:00:00Z",
    "updated_at": "2026-04-28T09:00:00Z"
  }
}

Verifying webhook signatures

Every webhook Shogun delivers includes an X-Shogun-Signature header. The value is the HMAC-SHA256 digest of the raw request body, prefixed with sha256= and computed using your webhook secret. Always verify this signature before you process the payload. This prevents your server from acting on spoofed requests from third parties.
Never process a webhook payload before confirming that X-Shogun-Signature matches your own computed HMAC. Skipping verification exposes your system to replay and forgery attacks.
Your webhook secret is the client_secret associated with your API client, available from Dashboard → Security → API Client.

Verification algorithm

  1. Read the raw request body as bytes — do not parse it first.
  2. Compute HMAC-SHA256(secret, raw_body) and hex-encode the digest.
  3. Prepend sha256= to produce the expected signature.
  4. Compare with the X-Shogun-Signature header using a constant-time comparison function to avoid timing attacks.
import hmac
import hashlib

def verify_webhook(payload_body: bytes, signature_header: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(),
        payload_body,
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(f"sha256={expected}", signature_header)

# Usage in a Flask handler
from flask import Flask, request, abort

app = Flask(__name__)
WEBHOOK_SECRET = "your-client-secret"

@app.route("/webhooks/shogun", methods=["POST"])
def shogun_webhook():
    signature = request.headers.get("X-Shogun-Signature", "")
    if not verify_webhook(request.get_data(), signature, WEBHOOK_SECRET):
        abort(401, "Invalid signature")

    event = request.json
    # Process event["event"] and event["data"] here
    return "", 200
Use your raw request bytes for the HMAC computation, before any JSON parsing. Parsers may reformat whitespace or key order, which will invalidate the signature check.