E-Wallet Top Up Transaction

​Information

This webhook sends a POST request to your configured disbursement_notif_url when an E-Wallet Top Up transaction is completed (success or failed).

The disbursement_notif_url configuration can be accessed from the settings page as shown in the screenshot above.

​Request Details

When an E-Wallet Top Up transaction is completed (success or failed), Singa Payment Gateway will send a webhook notification to your registered disbursement_notif_url.

​Headers Structure

Note: All signature-related headers (X-Signature, X-Timestamp, Authorization) are always included when your merchant account has API credentials configured. For signature validation, extract the access token from the Authorization header and use it as-is in the string to sign. See the Security Mechanisms section below for details.

---

​Body Structure

​Body Example

{
    "response_code": "SP000",
    "response_message": "Successfully",
    "event": "ewallet-topup",
    "data": {
        "transaction_id": "EW101222025122910292195055674",
        "reference_number": "REF-EWALLET-001",
        "notes": "topup OVO pelanggan",
        "transaction_status": {
            "code": "00",
            "desc": "Success"
        },
        "post_timestamp": "1766978961000",
        "processed_timestamp": "1766978962000",
        "ewallet": {
            "code": "OVO",
            "customer_number": "08123456789",
            "customer_name": "Budi Santoso"
        },
        "gross_amount": {
            "currency": "IDR",
            "value": "50000.00"
        },
        "fee": {
            "currency": "IDR",
            "value": "2500.00"
        },
        "net_amount": {
            "currency": "IDR",
            "value": "47500.00"
        },
        "balance_after": {
            "currency": "IDR",
            "value": "750000"
        }
    }
}

{
    "response_code": "SP001",
    "response_message": "Transaction Failure",
    "event": "ewallet-topup",
    "data": {
        "transaction_id": "EW121222025122617513896515436",
        "reference_number": "REF-EWALLET-002",
        "notes": "topup DANA pelanggan",
        "transaction_status": {
            "code": "06",
            "desc": "Failed"
        },
        "post_timestamp": "1766978900000",
        "processed_timestamp": "",
        "ewallet": {
            "code": "DANA",
            "customer_number": "08198765432",
            "customer_name": null
        },
        "gross_amount": {
            "currency": "IDR",
            "value": "100000.00"
        },
        "fee": {
            "currency": "IDR",
            "value": "2500.00"
        },
        "net_amount": {
            "currency": "IDR",
            "value": "97500.00"
        },
        "balance_after": {
            "currency": "IDR",
            "value": "850000"
        },
        "failed_code": "CONNECTION_ERROR",
        "failed_reason": "Connection timeout to vendor"
    }
}

​Distinguishing Payloads at Your Endpoint

Since both Disbursement (Bank Transfer) and E-Wallet Top Up webhooks arrive at the same disbursement_notif_url, use the event field to determine the transaction type before processing.

Recommended approach (using event field):

<?php
$payload = json_decode(file_get_contents('php://input'), true);

$event = $payload['event'] ?? null;

if ($event === 'ewallet-topup') {
    // E-Wallet Top Up webhook
    $ewalletCode    = $payload['data']['ewallet']['code'];
    $customerNumber = $payload['data']['ewallet']['customer_number'];
    $netAmount      = $payload['data']['net_amount']['value'];
    $status         = $payload['data']['transaction_status']['code']; // "00" or "06"

    // handle e-wallet top up...

} elseif ($event === 'disbursement') {
    // Disbursement (Bank Transfer) webhook
    $bankCode    = $payload['data']['bank']['code'];
    $accountNo   = $payload['data']['bank']['account_number'];
    $netAmount   = $payload['data']['net_amount']['value'];
    $status      = $payload['data']['transaction_status']['code']; // "00" or "06"

    // handle disbursement...

} elseif (isset($payload['data']['bank']) && !isset($payload['event'])) {
    // Optional legacy fallback: very old disbursement callbacks without `event`
    $bankCode  = $payload['data']['bank']['code'];
    $netAmount = $payload['data']['net_amount']['value'];

    // handle disbursement...
}

http_response_code(200);
echo json_encode(['status' => 'success']);
?>

​Appendix

​01: Response Code

​02: Transaction Status

---

​Security Mechanisms

​Overview

To ensure the security and authenticity of webhook requests from Singa Payment Gateway, we provide two recommended security mechanisms. You can choose one or combine both for maximum protection.

Important Note: Signature validation is optional but highly recommended. You can secure your webhook endpoint using either IP whitelisting, signature validation, or both methods together.

​Security Options

​Option 1: IP Whitelist (Simpler Approach)

This is the simplest security method where you restrict webhook access to only authorized IP addresses from Singa Payment Gateway.

How it works:

• Configure your firewall or application to only accept requests from specific IP addresses
• Singa Payment Gateway will provide you with our official IP addresses
• Any requests from unauthorized IPs will be automatically rejected

Pros:

• ✅ Simple to implement
• ✅ No complex cryptographic operations required
• ✅ Works well for basic security needs

Cons:

• ❌ Less secure if IP addresses are compromised
• ❌ Requires manual updates if our IPs change
• ❌ Cannot verify request integrity (body tampering)

Implementation Example (Nginx):

location /webhook/ewallet-topup {
    # Only allow Singa Payment Gateway IPs
    allow 103.xxx.xxx.xxx;  # Replace with actual IPs from Singa
    allow 103.xxx.xxx.xxx;  # Replace with actual IPs from Singa
    deny all;

    proxy_pass http://your-backend;
}

Implementation Example (PHP):

<?php
// Define allowed IPs (get these from Singa Payment Gateway)
$allowedIPs = [
    '103.xxx.xxx.xxx',
    '103.xxx.xxx.xxx',
];

$requestIP = $_SERVER['REMOTE_ADDR'];

if (!in_array($requestIP, $allowedIPs)) {
    http_response_code(403);
    echo json_encode(['status' => 'error', 'message' => 'Access denied']);
    exit;
}

// Process webhook...
?>

​Option 2: Signature Validation (Recommended for Higher Security)

This method uses cryptographic signatures to verify that:

1. The request actually comes from Singa Payment Gateway
2. The request body has not been tampered with during transmission

How it works:

• Singa Payment Gateway signs each webhook request using HMAC-SHA512
• You validate the signature using your Client Secret
• Only requests with valid signatures are processed

Pros:

• ✅ Highest security level
• ✅ Verifies both authenticity and integrity
• ✅ Protects against man-in-the-middle attacks
• ✅ No dependency on IP addresses

Cons:

• ❌ Requires implementation of signature validation logic
• ❌ Slightly more complex to implement

When to use: Production environments, handling sensitive transactions, or when maximum security is required.

See the detailed implementation guide in the “How to Validate Signature” section below.

​Option 3: Combined Approach (Maximum Security - Recommended)

For production environments, we strongly recommend using both IP whitelisting and signature validation together.

Implementation order:

1. First layer: Check IP whitelist (fast, blocks unauthorized IPs immediately)
2. Second layer: Validate signature (ensures request integrity)

Benefits:

• ✅ Defense in depth - multiple security layers
• ✅ Protection against both unauthorized access and tampering
• ✅ Industry best practice for webhook security

Example Implementation:

<?php
// Layer 1: IP Whitelist
$allowedIPs = ['103.xxx.xxx.xxx', '103.xxx.xxx.xxx'];
$requestIP = $_SERVER['REMOTE_ADDR'];

if (!in_array($requestIP, $allowedIPs)) {
    http_response_code(403);
    exit;
}

// Layer 2: Signature Validation
$requestBody = file_get_contents('php://input');
$headers = getallheaders();
$clientSecret = 'your-client-secret';
$endpoint = '/webhook/ewallet-topup';

if (!validateWebhookSignature($requestBody, $headers, $clientSecret, $endpoint)) {
    http_response_code(401);
    exit;
}

// Both checks passed - process webhook
$payload = json_decode($requestBody, true);
// ... process transaction ...
?>

​Which Option Should You Choose?

​Getting Singa Payment Gateway IP Addresses

To implement IP whitelisting, contact our support team or check your merchant dashboard for the official list of Singa Payment Gateway IP addresses.

Note: We will notify you in advance if our IP addresses change.

---

​How to Validate Signature (Optional but Recommended)

​Overview

The X-Signature header is a security mechanism that ensures the webhook request is authentic and comes from Singa Payment Gateway. This signature is generated using HMAC SHA512 algorithm.

Note: While signature validation is optional, we strongly recommend implementing it, especially for production environments, to ensure maximum security and data integrity.

E-Wallet Top Up webhooks use the exact same HMAC SHA512 signature scheme as Disbursement (Bank Transfer) webhooks.

​Signature Algorithm: HMAC SHA512

The signature is created using a multi-step process that combines the request method, endpoint, access token, hashed body, and timestamp.

​Step-by-Step Validation Guide

​Step 1: Extract Headers

Extract the following headers from the incoming webhook request:

• X-Signature - The signature to validate
• X-Timestamp - Unix timestamp (in seconds)
• Authorization - Bearer token (extract the token part)

​Step 2: Get Your Client Secret

Retrieve your Client Secret from the merchant dashboard. This is the same secret used for API authentication and is required as the HMAC key for signature verification.

Important: The Client Secret must be kept secure and never exposed in client-side code or logs.

​Step 3: Extract Endpoint Path

Extract the endpoint path from your webhook URL. For example:

• Full URL: https://yourdomain.com/webhook/ewallet-topup?param=value
• Endpoint: /webhook/ewallet-topup?param=value

The endpoint includes the path and any query parameters.

​Step 4: Normalize and Hash the Request Body

The request body must be normalized before hashing to ensure consistent results:

1. Parse JSON: Decode the JSON body into an object/array
2. Sort Keys Recursively: Sort all object keys alphabetically at every level
3. Re-encode JSON: Encode back to JSON with these flags:
   • JSON_UNESCAPED_UNICODE - Don’t escape Unicode characters
   • JSON_UNESCAPED_SLASHES - Don’t escape forward slashes
4. Hash with SHA-256: Generate SHA-256 hash of the normalized JSON

Example:

Original JSON: {"event":"ewallet-topup","response_code":"SP000","data":{"transaction_id":"EW123"}}
After sorting: {"data":{"transaction_id":"EW123"},"event":"ewallet-topup","response_code":"SP000"}
SHA-256 Hash: 5f4dcc3b5aa765d61d8327deb882cf99acd3d28e5cf0e661c02c8e8e6e8e6f9a

​Step 5: Build the String to Sign

Concatenate the following values with colon (:) as separator:

StringToSign = METHOD + ":" + ENDPOINT + ":" + ACCESS_TOKEN + ":" + HASHED_BODY + ":" + TIMESTAMP

Example:

Method:       POST
Endpoint:     /webhook/ewallet-topup
Access Token: eyJ0eXAiOiJKV1QiLCJhbGci...
Hashed Body:  5f4dcc3b5aa765d61d8327deb882cf99acd3d28e5cf0e661c02c8e8e6e8e6f9a
Timestamp:    1695711945

StringToSign = POST:/webhook/ewallet-topup:eyJ0eXAiOiJKV1QiLCJhbGci...:5f4dcc3b5aa765d61d8327deb882cf99acd3d28e5cf0e661c02c8e8e6e8e6f9a:1695711945

​Step 6: Generate HMAC SHA512 Signature

Use your Client Secret as the HMAC key and hash the string to sign:

Calculated Signature = HMAC-SHA512(StringToSign, Client Secret)

​Step 7: Compare Signatures

Compare the calculated signature with the signature from the X-Signature header using a constant-time comparison to prevent timing attacks.

Important: Use hash_equals() in PHP, crypto.timingSafeEqual() in Node.js, or hmac.compare_digest() in Python for secure comparison.

if (hash_equals($calculatedSignature, $receivedSignature)) {
    // Signature is valid - process webhook
} else {
    // Signature is invalid - reject request
}

​Implementation Examples

​PHP

<?php

/**
 * Validate webhook signature from Singa Payment Gateway
 */
function validateWebhookSignature($requestBody, $headers, $clientSecret, $endpoint) {
    // Step 1: Extract headers
    $receivedSignature = $headers['X-Signature'] ?? '';
    $timestamp = $headers['X-Timestamp'] ?? '';
    $authorization = $headers['Authorization'] ?? '';

    // Extract access token from "Bearer {token}"
    $accessToken = str_replace('Bearer ', '', $authorization);

    // Step 2: Normalize and hash the request body
    $bodyArray = json_decode($requestBody, true);

    if (json_last_error() !== JSON_ERROR_NONE) {
        return false; // Invalid JSON
    }

    // Sort keys recursively
    function sortRecursive(&$array) {
        ksort($array, SORT_STRING);
        foreach ($array as &$value) {
            if (is_array($value)) {
                sortRecursive($value);
            }
        }
    }

    sortRecursive($bodyArray);

    // Re-encode with specific flags
    $normalizedJson = json_encode($bodyArray, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);

    // Hash with SHA-256
    $hashedBody = hash('sha256', $normalizedJson);

    // Step 3: Build string to sign
    $method = 'POST'; // Webhooks always use POST
    $stringToSign = "{$method}:{$endpoint}:{$accessToken}:{$hashedBody}:{$timestamp}";

    // Step 4: Generate HMAC SHA512 signature
    $calculatedSignature = hash_hmac('sha512', $stringToSign, $clientSecret);

    // Step 5: Compare signatures using constant-time comparison
    return hash_equals($calculatedSignature, $receivedSignature);
}

// Usage example
$requestBody = file_get_contents('php://input');
$headers = getallheaders();
$clientSecret = 'your-client-secret-from-dashboard'; // Get from merchant dashboard
$endpoint = '/webhook/ewallet-topup'; // Your webhook endpoint path

if (validateWebhookSignature($requestBody, $headers, $clientSecret, $endpoint)) {
    // Signature is valid - process webhook
    $payload = json_decode($requestBody, true);

    $event = $payload['event']; // "ewallet-topup"
    $transactionId = $payload['data']['transaction_id'];
    $referenceNumber = $payload['data']['reference_number'];
    $statusCode = $payload['data']['transaction_status']['code']; // "00" or "06"
    $netAmount = $payload['data']['net_amount']['value'];

    // Update your database, send notifications, etc.

    // Return success response
    http_response_code(200);
    echo json_encode(['status' => 'success']);
} else {
    // Signature is invalid - reject request
    http_response_code(401);
    echo json_encode(['status' => 'error', 'message' => 'Invalid signature']);
}
?>

​Python

import hmac
import hashlib
import json
from flask import Flask, request, jsonify

app = Flask(__name__)

def sort_dict_recursive(data):
    """Recursively sort dictionary keys"""
    if isinstance(data, dict):
        return {k: sort_dict_recursive(v) for k, v in sorted(data.items())}
    elif isinstance(data, list):
        return [sort_dict_recursive(item) for item in data]
    else:
        return data

def validate_webhook_signature(request_body, headers, client_secret, endpoint):
    """Validate webhook signature from Singa Payment Gateway"""

    # Step 1: Extract headers
    received_signature = headers.get('X-Signature', '')
    timestamp = headers.get('X-Timestamp', '')
    authorization = headers.get('Authorization', '')

    # Extract access token from "Bearer {token}"
    access_token = authorization.replace('Bearer ', '')

    # Step 2: Parse and normalize JSON
    try:
        body_dict = json.loads(request_body)
    except json.JSONDecodeError:
        return False

    # Sort keys recursively
    sorted_body = sort_dict_recursive(body_dict)

    # Re-encode with specific settings
    normalized_json = json.dumps(sorted_body, ensure_ascii=False, separators=(',', ':'))

    # Hash with SHA-256
    hashed_body = hashlib.sha256(normalized_json.encode('utf-8')).hexdigest()

    # Step 3: Build string to sign
    method = 'POST'  # Webhooks always use POST
    string_to_sign = f"{method}:{endpoint}:{access_token}:{hashed_body}:{timestamp}"

    # Step 4: Generate HMAC SHA512 signature
    calculated_signature = hmac.new(
        client_secret.encode('utf-8'),
        string_to_sign.encode('utf-8'),
        hashlib.sha512
    ).hexdigest()

    # Step 5: Compare signatures using constant-time comparison
    return hmac.compare_digest(calculated_signature, received_signature)

@app.route('/webhook/ewallet-topup', methods=['POST'])
def webhook_ewallet_topup():
    """Handle E-Wallet Top Up transaction webhook"""

    request_body = request.get_data(as_text=True)
    headers = dict(request.headers)
    client_secret = 'your-client-secret-from-dashboard'  # Get from merchant dashboard
    endpoint = '/webhook/ewallet-topup'  # Your webhook endpoint path

    if validate_webhook_signature(request_body, headers, client_secret, endpoint):
        # Signature is valid - process webhook
        payload = json.loads(request_body)

        event = payload.get('event')  # "ewallet-topup"
        transaction_id = payload['data']['transaction_id']
        reference_number = payload['data']['reference_number']
        status_code = payload['data']['transaction_status']['code']  # "00" or "06"
        net_amount = payload['data']['net_amount']['value']

        # Update your database, send notifications, etc.

        # Return success response
        return jsonify({'status': 'success'}), 200
    else:
        # Signature is invalid - reject request
        return jsonify({'status': 'error', 'message': 'Invalid signature'}), 401

if __name__ == '__main__':
    app.run(port=3000)

​JavaScript (Node.js with Express)

const express = require('express');
const crypto = require('crypto');

const app = express();

// Middleware to capture raw body for signature validation
app.use(express.json({
    verify: (req, res, buf) => {
        req.rawBody = buf.toString('utf8');
    }
}));

/**
 * Recursively sort object keys
 */
function sortObjectRecursive(obj) {
    if (typeof obj !== 'object' || obj === null) {
        return obj;
    }

    if (Array.isArray(obj)) {
        return obj.map(sortObjectRecursive);
    }

    const sorted = {};
    Object.keys(obj).sort().forEach(key => {
        sorted[key] = sortObjectRecursive(obj[key]);
    });

    return sorted;
}

/**
 * Validate webhook signature from Singa Payment Gateway
 */
function validateWebhookSignature(requestBody, headers, clientSecret, endpoint) {
    // Step 1: Extract headers
    const receivedSignature = headers['x-signature'] || '';
    const timestamp = headers['x-timestamp'] || '';
    const authorization = headers['authorization'] || '';

    // Extract access token from "Bearer {token}"
    const accessToken = authorization.replace('Bearer ', '');

    // Step 2: Parse and normalize JSON
    let bodyObject;
    try {
        bodyObject = JSON.parse(requestBody);
    } catch (e) {
        return false; // Invalid JSON
    }

    // Sort keys recursively
    const sortedBody = sortObjectRecursive(bodyObject);

    // Re-encode JSON (no escaping for unicode and slashes)
    const normalizedJson = JSON.stringify(sortedBody);

    // Hash with SHA-256
    const hashedBody = crypto
        .createHash('sha256')
        .update(normalizedJson)
        .digest('hex');

    // Step 3: Build string to sign
    const method = 'POST'; // Webhooks always use POST
    const stringToSign = `${method}:${endpoint}:${accessToken}:${hashedBody}:${timestamp}`;

    // Step 4: Generate HMAC SHA512 signature
    const calculatedSignature = crypto
        .createHmac('sha512', clientSecret)
        .update(stringToSign)
        .digest('hex');

    // Step 5: Compare signatures using constant-time comparison
    return crypto.timingSafeEqual(
        Buffer.from(calculatedSignature),
        Buffer.from(receivedSignature)
    );
}

// Webhook endpoint
app.post('/webhook/ewallet-topup', (req, res) => {
    const requestBody = req.rawBody;
    const headers = req.headers;
    const clientSecret = 'your-client-secret-from-dashboard'; // Get from merchant dashboard
    const endpoint = '/webhook/ewallet-topup'; // Your webhook endpoint path

    if (validateWebhookSignature(requestBody, headers, clientSecret, endpoint)) {
        // Signature is valid - process webhook
        const payload = req.body;

        const event = payload.event; // "ewallet-topup"
        const transactionId = payload.data.transaction_id;
        const referenceNumber = payload.data.reference_number;
        const statusCode = payload.data.transaction_status.code; // "00" or "06"
        const netAmount = payload.data.net_amount.value;

        // Update your database, send notifications, etc.

        // Return success response
        res.status(200).json({ status: 'success' });
    } else {
        // Signature is invalid - reject request
        res.status(401).json({ status: 'error', message: 'Invalid signature' });
    }
});

app.listen(3000, () => {
    console.log('Webhook server running on port 3000');
});

​Important Notes

• Always validate signatures: Never process webhook requests without validating the signature first
• Use constant-time comparison: Prevents timing attacks (use hash_equals(), crypto.timingSafeEqual(), or hmac.compare_digest())
• Validate timestamp: Check that the timestamp is recent (within 5 minutes) to prevent replay attacks
• Preserve raw body: Don’t parse the JSON before validation - use the raw request body for hashing
• Case sensitivity: The signature is case-sensitive (lowercase hex)
• Character encoding: Use UTF-8 encoding for all strings
• HMAC key: Always use your client_secret as the HMAC key
• Secure storage: Store your Client Secret securely (environment variables, secure vault)
• HTTPS only: Always use HTTPS for your webhook endpoints

• ❌ Not sorting JSON keys before hashing (order matters!)
• ❌ Using wrong hash algorithm (must use SHA-256 for body, SHA-512 for signature)
• ❌ Wrong separator in string to sign (must use :, not _ or -)
• ❌ Using API Key instead of Client Secret
• ❌ Not preserving raw request body (parsing JSON before validation)
• ❌ Using simple string comparison instead of constant-time comparison
• ❌ Wrong order in string to sign (must be: METHOD:ENDPOINT:TOKEN:HASH:TIMESTAMP)
• ❌ Forgetting to extract Bearer token from Authorization header
• ❌ Not including query parameters in endpoint path
• ❌ Processing webhook without validating signature first

​Troubleshooting

If signature validation fails:

1. Check string to sign format: Must be METHOD:ENDPOINT:ACCESS_TOKEN:HASHED_BODY:TIMESTAMP
2. Verify JSON normalization: Keys must be sorted recursively, use correct JSON encoding flags
3. Check hash algorithm: SHA-256 for body hash, SHA-512 for HMAC signature
4. Verify HMAC key: Must use Client Secret (not API Key)
5. Check endpoint path: Must match exactly including query parameters
6. Verify timestamp: Should be a valid Unix timestamp in seconds
7. Check access token: Extract correctly from Authorization header (remove “Bearer ” prefix)
8. Log values for debugging: Log stringToSign, hashedBody, and calculatedSignature (in development only)

​Security Considerations

• Prevent replay attacks: Validate that X-Timestamp is recent (within 5 minutes of current time)
• Use HTTPS: Always use HTTPS for webhook endpoints to prevent man-in-the-middle attacks
• Rate limiting: Implement rate limiting on webhook endpoints
• IP whitelisting: Consider whitelisting Singa Payment Gateway IP addresses
• Error handling: Don’t expose detailed error messages to webhook sender
• Idempotency: Handle duplicate webhooks gracefully (use reference_number to detect duplicates)
• Logging: Log all webhook requests (with signatures removed) for audit purposes

​Response Requirements

Your webhook endpoint must return an appropriate HTTP response:

​Success Response

When the webhook is processed successfully:

Status Code: 200 OK

{
  "status": "success"
}

​Error Responses

Invalid Signature (401 Unauthorized):

{
  "status": "error",
  "message": "Invalid signature"
}

Processing Error (500 Internal Server Error):

{
  "status": "error",
  "message": "Failed to process webhook"
}

Important: Singa Payment Gateway will retry failed webhooks (non-200 responses) up to 3 times with exponential backoff.

​E-Wallet Top Up Specific Notes

​Idempotency

E-Wallet Top Up transactions use reference_number for idempotency:

• Each reference_number can only be used once per account
• If you retry with the same reference_number, you will receive the existing transaction status
• Always check reference_number before processing to avoid duplicate handling

Example — detecting duplicate webhook:

$referenceNumber = $payload['data']['reference_number'];

$existingTransaction = findTransactionByReference($referenceNumber);
if ($existingTransaction) {
    // Already processed — return success without re-processing
    http_response_code(200);
    return;
}

// Process new transaction
processEwalletTopUp($payload);

​Timestamp Format

Important: E-Wallet Top Up webhooks use two different timestamp formats:

1. X-Timestamp header (for signature validation): Unix timestamp in seconds

   • Example: 1695711945
   • Used for signature generation and validation

2. post_timestamp & processed_timestamp (in request body): Unix timestamp in milliseconds

   • Example: 1766978961000
   • Used for displaying transaction timing

Converting millisecond timestamps:

// Convert to DateTime
$postTimestamp = $payload['data']['post_timestamp']; // "1766978961000"
$date = new DateTime();
$date->setTimestamp((int)($postTimestamp / 1000)); // Divide by 1000 to get seconds

// Or use Carbon (Laravel)
$date = \Carbon\Carbon::createFromTimestampMs($postTimestamp);

Important: When validating signatures, always use the X-Timestamp header value (in seconds), NOT the timestamps from the request body (which are in milliseconds).

​Balance Refund on Failure

When an E-Wallet Top Up fails, Singa Payment Gateway automatically refunds the full gross_amount (net + fee) back to your merchant balance. You do not need to request a manual refund — the balance is restored immediately upon failure detection. The balance_after field reflects the post-refund balance.

​Balance Tracking

The balance_after field shows your account balance after the transaction:

• For successful transactions: Shows remaining balance after deduction
• For failed transactions: Shows balance after automatic refund (balance is restored)
• Use this to verify balance consistency with your system
• All amounts are in IDR (Indonesian Rupiah)