Register Webhook

POST 
/b2b/webhooks

Register a new webhook endpoint to receive event notifications from Payward Embed.

When you register a webhook, you'll receive a secret in the response. This secret is base64-encoded and is used to verify webhook signatures. Store it securely — it is only returned once and cannot be retrieved again.

You can optionally specify enabled and events at registration time, or configure them later using the Update Webhook endpoint.

URL Requirements

• Must use HTTPS protocol
• Maximum length: 2048 characters
• Must be a valid URL format
• Must have a valid host (not empty)
• Host cannot be a protocol name (e.g., http, https, ftp, file, mailto, ssh, git, svn)
• Path cannot start with // (indicates malformed URL)
• Cannot contain credentials (e.g., https://user:pass@example.com is rejected)

Valid URL Examples

• https://example.com/webhook
• https://example.com:8443/webhook

Invalid URL Examples

• http://example.com/webhook (HTTP not allowed)
• https://https//example.com (malformed - host is "https")
• https://user:pass@example.com/webhook (credentials not allowed)
• invalid-url (not a valid URL)

Request

Responses

200

Webhook registered successfully

400

Bad Request — the request was malformed or contained invalid parameters. Not retryable.

401

Unauthorized — authentication failed or credentials are missing/invalid. Not retryable.

403

Forbidden — the authenticated user does not have permission to perform this action. Not retryable.

404

Not Found — the requested resource does not exist. Not retryable.

408

Request Timeout — the request took too long to process. Retryable.

409

Conflict. Error codes:

• ENexus:Webhook already exists — not retryable

429

Too Many Requests — rate limit exceeded. Retryable with backoff.

500

Internal Server Error — an unexpected error occurred. Generally retryable.

503

Service Unavailable — the service is temporarily unavailable. Retryable.