The envelope
Every event has the same shape:Event catalog
| Type | When it fires |
|---|---|
checkout.completed | A Checkout Session was paid (on a saved card, or a first-time caller paid via the texted link). |
checkout.failed | The charge was declined or errored. |
merchant.connected | A merchant finished connecting their payment processor to Ringup. |
checkout.completed with
method: "link", not a separate event.
checkout.completed
The one you build against. Its data is the completed Checkout Session with its Payment,
and it carries everything you need to mark an order paid:
order_id you passed (or the call_id), store the payment_id, and flip your
order to paid. checkout.failed carries the same fields plus a reason.
Statuses
A Payment moves through a small set of states:succeeded: the charge settled. This is the only status that means money moved.failed: the charge was declined or errored; nothing was charged.pending: a first-time caller was texted a link and has not paid yet. You see this only if you poll a Checkout Session during a call; a pending Payment does not send acheckout.completedwebhook until it settles.
Getting it right
Three rules cover almost every webhook bug:- Verify the signature. Each request carries a
Ringup-Signatureheader, an HMAC of the raw body plus a timestamp. Recompute it with your endpoint’s signing secret and reject a mismatch or an old timestamp, so nobody can forge an event. - Dedupe on
id. Delivery is at-least-once: Ringup retries on any non-2xx response, so the same event can arrive more than once. Treat a repeatedidas a no-op. - Acknowledge fast. Return
2xximmediately and do your work asynchronously. Ringup retries with backoff and parks a persistently failing endpoint after several attempts.
Registering an endpoint
Add your endpoint URL in the Ringup dashboard (or via the API). Ringup shows the signing secret once at creation. You can register more than one endpoint, and test mode delivers to its own.Signature scheme.
Ringup-Signature is an HMAC-SHA256 over the timestamp and the raw request
body, signed with your endpoint’s secret. When you register an endpoint the dashboard shows the
exact recipe and a copy-paste verification snippet next to your signing secret.Next steps
Testing
Trigger real events against the sandbox and watch them arrive.
API reference
Every field of every tool, with a live playground.