Developer
Zerthpay webhooks are encrypted and transmitted securely. When a payment is received into a merchant's virtual account, a webhook is triggered. The payload sent is not plain JSON — it is encrypted and base64-encoded to ensure secure transmission.
The encryption uses the AES-256-CBC cipher. The payload is first encrypted with your webhook secret key and an IV (initialization vector), then base64-encoded. You will receive two fields in the webhook:
iv: Base64-encoded initialization vector used during encryptionpayload: Base64-encoded encrypted dataTo decrypt the webhook, follow this process in PHP:
// Step 1: Get the webhook payload
$raw = $request->all();
// Step 2: Hash your webhook secret key using SHA-256
$key = hash('sha256', 'your-webhook-secret', true);
// Step 3: Decode the IV and payload (both are base64 encoded)
$iv = base64_decode($raw['iv']);
$encryptedPayload = base64_decode($raw['payload']);
// Step 4: Decrypt the payload using AES-256-CBC
$decrypted = openssl_decrypt(
$encryptedPayload,
'AES-256-CBC',
$key,
0,
$iv
);
// Step 5: Convert the decrypted JSON string into an array (optional)
$webhookData = json_decode($decrypted, true);
// Now you can access $webhookData['reference'], ['amount'], etc.
You can then parse the decrypted JSON string to extract the transaction details. The `externalReference` field in the payload matches the reference from your original payment request.