WWooshPayment docs
API

Webhook

Incoming webhooks from Whop and Shopify that WooshPayment receives. Custom outgoing webhooks to merchants are on the roadmap.

2 min read

Custom merchant webhooks: roadmap. WooshPayment does not yet emit outgoing webhooks to merchant-configured endpoints. When a customer pays, the status propagates to your Shopify/Woo through the standard integration, not via a custom webhook. Outgoing merchant webhooks are in the works.

Today this page documents the incoming webhooks that WooshPayment receives from Whop and Shopify.

Webhooks received from Whop

Endpoint we expose to receive payment notifications from Whop:

POST https://api.wooshpayment.com/webhooks/whop/payment-update

Configure this endpoint in your Whop dashboard โ†’ Settings โ†’ Webhooks. Whop signs every payload with HMAC-SHA256 using the secret from your configuration (stored as WHOP_WEBHOOK_SECRET on the platform side).

Processed events

Whop eventEffect on the WooshPayment session
invoice_paidstatus โ†’ COMPLETED, order created on Shopify/Woo
payment_succeededstatus โ†’ COMPLETED
membership_activatedstatus โ†’ COMPLETED
membership_went_validstatus โ†’ COMPLETED
payment.failed / payment_failed / invoice_payment_failedstatus โ†’ FAILED if not already COMPLETED
payment.refunded / payment_refunded / invoice_refundedstatus โ†’ REFUNDED if it was COMPLETED

Payload format

{
  "event": "invoice_paid",
  "data": {
    "id": "pay_xyz",
    "metadata": {
      "wooshpaymentSessionToken": "sess_abc"
    }
  }
}

To link a Whop payment to a WooshPayment session, we pass wooshpaymentSessionToken as metadata when creating the invoice/payment intent. When Whop sends it back in the webhook, we use it to look up the session.

Signature verification

Whop signs with HMAC-SHA256 in the X-Whop-Signature header. Our verification uses crypto.timingSafeEqual to prevent timing attacks.

Webhooks with an invalid signature are still persisted to the DB (for audit) but don't trigger state changes.

Webhooks received from Shopify

When the merchant installs the app, Shopify notifies us of events such as:

  • app/uninstalled โ€” app uninstallation, we mark shopifyConnected: false
  • customers/data_request (mandatory GDPR Compliance webhook)
  • customers/redact (mandatory GDPR Compliance webhook)
  • shop/redact (mandatory GDPR Compliance webhook)

All on https://api.wooshpayment.com/webhooks/shopify/*.

Custom merchant webhooks โ€” roadmap

When we release custom outgoing webhooks, the flow will be:

  1. Dashboard โ†’ "Webhook" โ†’ "Add endpoint" with HTTPS URL + event list
  2. WooshPayment sends an HMAC-signed POST to your endpoint when the event occurs
  3. Exponential retry up to 24h, manual replay from the dashboard
  4. Dead-letter queue for undeliverable events

Planned events:

  • session.completed (payment OK)
  • session.refunded
  • session.abandoned
  • dispute.created
  • dispute.resolved

ETA: post-launch.

Current workaround

For now, if you need to know when a WooshPayment order is completed:

  • Shopify: use Shopify's native orders/paid or orders/create webhooks โ€” we create the order on your Shopify right after Whop's invoice_paid, so your Shopify webhooks fire automatically
  • WooCommerce: use Woo's order.created or order.updated webhooks โ€” same logic

This is the simplest pattern today and covers 95% of use cases.