1. Home
  2. Documentation
  3. Callback Response

Webhook Callback Documentation

Overview

BobPlus Africa sends a webhook callback to your system after every successful or failed deposit or payout transaction. This callback contains all relevant details about the transaction status, allowing your system to process the outcome automatically and securely.

  • Purpose: Notify your system of transaction results in real time.
  • Target Audience: All developers and businesses integrating with BobPlus Africa APIs.
Quickstart: Handling Callbacks
  1. Set up an endpoint on your server to receive POST requests from BobPlus Africa.
  2. Parse the JSON payload and extract the transaction details.
  3. Verify the hash parameter to ensure authenticity (see below).
  4. Process the transaction result in your system.
  5. Respond with HTTP 200 OK to acknowledge receipt.
Sample Success Callback Response
{
  "channel": "100001",
  "reference": "3883328",
  "transaction_id": "CP7S36ULT8P",
  "third_party_id": "SP7S36U3T8",
  "currency": "KES",
  "amount": "10",
  "fees": "0.2",
  "acc_name": "John Doe",
  "result_code": 0,
  "result_description": "The service request is processed successfully.",
  "hash": "c920aaebae731f9e16d9a8f1fc1e349b99313cf230f18126a0bbd07d64aac2e0"
}
Sample Failed Callback Response
{
  "channel": "100001",
  "reference": "3883328",
  "result_code": 1032,
  "transaction_id": "2345432345",
  "result_description": "DS timeout user cannot be reached",
  "hash": "e07f51540e120030f5beb594ba34f335f16f2f78c4a7a7b0d53647ac44590ff9"
}
How to Verify the Hash Parameter

The hash parameter is a SHA-256 HMAC that proves the callback is from BobPlus Africa. You should verify it by generating your own hash and comparing it to the one provided.

  • Concatenate all response fields in the order sent, except the hash parameter.
  • Hash the resulting string using your consumer key (provided during registration).

Order for generating the hash string:

  • Success Callback: channel+reference+transaction_id+third_party_id+currency+amount+fees+acc_name+result_code+result_description
  • Failed Callback: channel+reference+transaction_id+result_code+result_description
const crypto = require('crypto');

function implodeAll(sep, arr) {
    return arr.map(item => Array.isArray(item) ? implodeAll(sep, item) : item).join(sep);
}

// Sample callback response
const callBackResponse = {
  "channel": "100001",
  "reference": "3883328",
  "transaction_id": "CP7S36ULT8P",
  "third_party_id": "SP7S36U3T8",
  "currency": "KES",
  "amount": "10",
  "fees": "0.2",
  "acc_name": "John Doe",
  "result_code": 0,
  "result_description": "The service request is processed successfully.",
  "hash": "c920aaebae731f9e16d9a8f1fc1e349b99313cf230f18126a0bbd07d64aac2e0"
};

// Convert object values to a string
const stringToHash = implodeAll('', Object.values(callBackResponse).filter((_, i, arr) => arr[i] !== callBackResponse.hash));

// Hashing the concatenated string
const consumerKey = 'CONSUMER KEY HERE'; // Replace with actual consumer key
const hashedString = crypto.createHmac('sha256', consumerKey).update(stringToHash).digest('hex');

console.log(hashedString);
Security Best Practices
  • Always verify the hash to ensure the callback is authentic.
  • Keep your consumer key secure and never expose it publicly.
  • Respond with HTTP 200 OK to acknowledge receipt of the callback.
Support & Feedback

For help, contact support@bobplus.africa.
Feedback on this documentation? Let us know.

Terms of Use & Legal

By using this API, you agree to our Terms of Service and Privacy Policy. Do not share sensitive data or credentials.

V2.1.2