Product Expiration

​Information

Important: This webhook is completely optional. You can choose not to configure this webhook if you don’t need expiration notifications. Your payment products will still work normally - this webhook only serves as a notification mechanism when products expire.

This webhook sends a POST request to your configured product_expiration_notif_url when payment products (Payment Links, Virtual Accounts, or QRIS transactions) reach their expiration time. Unlike other webhooks, this is a batch notification that can include multiple expired products in a single webhook call.

The product_expiration_notif_url configuration can be accessed from the settings page as shown in the screenshot above.

​Request Details

When payment products expire, Singa Payment Gateway can send a batch webhook notification to your registered callback URL. The request includes security headers for verification.

​Headers Structure

* Note: Headers marked as “Optional” are included when you enable signature-based security. See the Security Mechanisms section below to understand the different security options available.

Authorization Note: The access token in the Authorization header is a randomly generated string (not a user access token) because this webhook is triggered by the system’s scheduled expiration checker, not by a user action.

---

​Body Structure

​Body Example

{
  "status": 200,
  "success": true,
  "event": "product_expiration",
  "timestamp": "26 Dec 2025 14:00:00",
  "merchant": {
    "id": 123,
    "name": "PT Example Indonesia"
  },
  "data": {
    "payment_links": [
      {
        "id": 456,
        "reff_no": "PL-20251220-XYZ789",
        "title": "Donasi Amal",
        "status": "expired",
        "expired_at": "2025-12-26 14:00:00"
      },
      {
        "id": 457,
        "reff_no": "PL-20251221-ABC123",
        "title": "Pembayaran Tagihan",
        "status": "expired",
        "expired_at": "2025-12-26 14:00:00"
      }
    ],
    "virtual_accounts": [
      {
        "id": 789,
        "reff_no": "VA-20251226-ABC123",
        "virtual_account_number": "7872955146576837",
        "status": "expired",
        "expired_at": "2025-12-26 14:00:00"
      },
      {
        "id": 790,
        "reff_no": "VA-20251226-DEF456",
        "virtual_account_number": "7872955146576838",
        "status": "expired",
        "expired_at": "2025-12-26 14:00:00"
      },
      {
        "id": 791,
        "reff_no": "VA-20251226-GHI789",
        "virtual_account_number": "7872955146576839",
        "status": "expired",
        "expired_at": "2025-12-26 14:00:00"
      }
    ],
    "qris_transactions": [
      {
        "id": 321,
        "reff_no": "QRIS-20251226-DEF456",
        "nmid": "ID1234567890123",
        "status": "expired",
        "expired_at": "2025-12-26 14:00:00"
      }
    ]
  },
  "summary": {
    "total_expired": 6,
    "payment_links_count": 2,
    "virtual_accounts_count": 3,
    "qris_transactions_count": 1
  }
}

{
  "status": 200,
  "success": true,
  "event": "product_expiration",
  "timestamp": "26 Dec 2025 14:00:00",
  "merchant": {
    "id": 123,
    "name": "PT Example Indonesia"
  },
  "data": {
    "payment_links": [],
    "virtual_accounts": [
      {
        "id": 789,
        "reff_no": "VA-20251226-ABC123",
        "virtual_account_number": "7872955146576837",
        "status": "expired",
        "expired_at": "2025-12-26 14:00:00"
      }
    ],
    "qris_transactions": []
  },
  "summary": {
    "total_expired": 1,
    "payment_links_count": 0,
    "virtual_accounts_count": 1,
    "qris_transactions_count": 0
  }
}

---

​Security Mechanisms

​Overview

To ensure the security and authenticity of webhook requests from Singa Payment Gateway, we provide two recommended security mechanisms. You can choose one or combine both for maximum protection.

Important Note: Signature validation is optional but highly recommended. You can secure your webhook endpoint using either IP whitelisting, signature validation, or both methods together.

​Security Options

​Option 1: IP Whitelist (Simpler Approach)

This is the simplest security method where you restrict webhook access to only authorized IP addresses from Singa Payment Gateway.

How it works:

• Configure your firewall or application to only accept requests from specific IP addresses
• Singa Payment Gateway will provide you with our official IP addresses
• Any requests from unauthorized IPs will be automatically rejected

Pros:

• ✅ Simple to implement
• ✅ No complex cryptographic operations required
• ✅ Works well for basic security needs

Cons:

• ❌ Less secure if IP addresses are compromised
• ❌ Requires manual updates if our IPs change
• ❌ Cannot verify request integrity (body tampering)

Implementation Example (Nginx):

location /webhook/product-expiration {
    # Only allow Singa Payment Gateway IPs
    allow 103.xxx.xxx.xxx;  # Replace with actual IPs from Singa
    allow 103.xxx.xxx.xxx;  # Replace with actual IPs from Singa
    deny all;

    proxy_pass http://your-backend;
}

Implementation Example (PHP):

<?php
// Define allowed IPs (get these from Singa Payment Gateway)
$allowedIPs = [
    '103.xxx.xxx.xxx',
    '103.xxx.xxx.xxx',
];

$requestIP = $_SERVER['REMOTE_ADDR'];

if (!in_array($requestIP, $allowedIPs)) {
    http_response_code(403);
    echo json_encode(['status' => 'error', 'message' => 'Access denied']);
    exit;
}

// Process webhook...
?>

​Option 2: Signature Validation (Recommended for Higher Security)

This method uses cryptographic signatures to verify that:

1. The request actually comes from Singa Payment Gateway
2. The request body has not been tampered with during transmission

How it works:

• Singa Payment Gateway signs each webhook request using HMAC-SHA512
• You validate the signature using your Client Secret
• Only requests with valid signatures are processed

Pros:

• ✅ Highest security level
• ✅ Verifies both authenticity and integrity
• ✅ Protects against man-in-the-middle attacks
• ✅ No dependency on IP addresses

Cons:

• ❌ Requires implementation of signature validation logic
• ❌ Slightly more complex to implement

When to use: Production environments, handling sensitive data, or when maximum security is required.

See the detailed implementation guide in the “How to Validate Signature” section below.

​Option 3: Combined Approach (Maximum Security - Recommended)

For production environments, we strongly recommend using both IP whitelisting and signature validation together.

Implementation order:

1. First layer: Check IP whitelist (fast, blocks unauthorized IPs immediately)
2. Second layer: Validate signature (ensures request integrity)

Benefits:

• ✅ Defense in depth - multiple security layers
• ✅ Protection against both unauthorized access and tampering
• ✅ Industry best practice for webhook security

Example Implementation:

<?php
// Layer 1: IP Whitelist
$allowedIPs = ['103.xxx.xxx.xxx', '103.xxx.xxx.xxx'];
$requestIP = $_SERVER['REMOTE_ADDR'];

if (!in_array($requestIP, $allowedIPs)) {
    http_response_code(403);
    exit;
}

// Layer 2: Signature Validation
$requestBody = file_get_contents('php://input');
$headers = getallheaders();
$clientSecret = 'your-client-secret';
$endpoint = '/webhook/product-expiration';

if (!validateWebhookSignature($requestBody, $headers, $clientSecret, $endpoint)) {
    http_response_code(401);
    exit;
}

// Both checks passed - process webhook
$payload = json_decode($requestBody, true);
// ... process expiration notification ...
?>

​Which Option Should You Choose?

​Getting Singa Payment Gateway IP Addresses

To implement IP whitelisting, contact our support team or check your merchant dashboard for the official list of Singa Payment Gateway IP addresses.

Note: We will notify you in advance if our IP addresses change.

---

​How to Validate Signature (Optional but Recommended)

​Overview

The X-Signature header is a security mechanism that ensures the webhook request is authentic and comes from Singa Payment Gateway. This signature is generated using HMAC SHA512 algorithm.

Implementation Note: Product Expiration webhooks use the signature generation method from the GeneratesCallbackSignature trait, which is the standard signature implementation across most webhooks.

Note: While signature validation is optional, we strongly recommend implementing it, especially for production environments, to ensure maximum security and data integrity.

​Signature Algorithm: HMAC SHA512

The signature is created using a multi-step process that combines the request method, endpoint, access token, hashed body, and timestamp.

Reference Implementation:

• Trait: App\Traits\GeneratesCallbackSignature
• Main method: GeneratesCallbackSignature::generateHeadersCallback() (lines 30-81)
• Body hashing: GeneratesCallbackSignature::hashNormalizedJson() (lines 90-118)
• Recursive sorting: GeneratesCallbackSignature::sortRecursive() (lines 129-143)
• Endpoint extraction: GeneratesCallbackSignature::extractEndpoint() (lines 154-167)

​Step-by-Step Validation Guide

​Step 1: Extract Headers

Extract the following headers from the incoming webhook request:

• X-Signature - The signature to validate
• X-Timestamp - Unix timestamp (in seconds)
• Authorization - Bearer token (extract the token part)

Important: The access token in this webhook is a randomly generated string, not a user access token, since the webhook is triggered by the system’s scheduled job.

​Step 2: Get Your Client Secret

Retrieve your Client Secret from the merchant dashboard. This is the same secret used for API authentication and is required as the HMAC key for signature verification.

Important: The Client Secret must be kept secure and never exposed in client-side code or logs.

​Step 3: Extract Endpoint Path

Extract the endpoint path from your webhook URL. For example:

• Full URL: https://yourdomain.com/webhook/product-expiration?param=value
• Endpoint: /webhook/product-expiration?param=value

The endpoint includes the path and any query parameters.

​Step 4: Normalize and Hash the Request Body

The request body must be normalized before hashing to ensure consistent results:

1. Parse JSON: Decode the JSON body into an object/array
2. Sort Keys Recursively: Sort all object keys alphabetically at every level
3. Re-encode JSON: Encode back to JSON with these flags:
   • JSON_UNESCAPED_UNICODE - Don’t escape Unicode characters
   • JSON_UNESCAPED_SLASHES - Don’t escape forward slashes
4. Hash with SHA-256: Generate SHA-256 hash of the normalized JSON

Example:

Original JSON: {"status":200,"success":true,"event":"product_expiration"}
After sorting: {"event":"product_expiration","status":200,"success":true}
SHA-256 Hash: 5f4dcc3b5aa765d61d8327deb882cf99acd3d28e5cf0e661c02c8e8e6e8e6f9a

​Step 5: Build the String to Sign

Concatenate the following values with colon (:) as separator:

StringToSign = METHOD + ":" + ENDPOINT + ":" + ACCESS_TOKEN + ":" + HASHED_BODY + ":" + TIMESTAMP

Example:

Method:       POST
Endpoint:     /webhook/product-expiration
Access Token: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Hashed Body:  5f4dcc3b5aa765d61d8327deb882cf99acd3d28e5cf0e661c02c8e8e6e8e6f9a
Timestamp:    1695711945

StringToSign = POST:/webhook/product-expiration:a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6:5f4dcc3b5aa765d61d8327deb882cf99acd3d28e5cf0e661c02c8e8e6e8e6f9a:1695711945

​Step 6: Generate HMAC SHA512 Signature

Use your Client Secret as the HMAC key and hash the string to sign:

Calculated Signature = HMAC-SHA512(StringToSign, Client Secret)

​Step 7: Compare Signatures

Compare the calculated signature with the signature from the X-Signature header using a constant-time comparison to prevent timing attacks.

Important: Use hash_equals() in PHP, crypto.timingSafeEqual() in Node.js, or hmac.compare_digest() in Python for secure comparison.

if (hash_equals($calculatedSignature, $receivedSignature)) {
    // Signature is valid - process webhook
} else {
    // Signature is invalid - reject request
}

​Important Notes

• Always validate signatures: Never process webhook requests without validating the signature first
• Use constant-time comparison: Prevents timing attacks (use hash_equals(), crypto.timingSafeEqual(), or hmac.compare_digest())
• Validate timestamp: Check that the timestamp is recent (within 5 minutes) to prevent replay attacks
• Preserve raw body: Don’t parse the JSON before validation - use the raw request body for hashing
• Case sensitivity: The signature is case-sensitive (lowercase hex)
• Character encoding: Use UTF-8 encoding for all strings
• HMAC key: Always use your client_secret as the HMAC key
• Secure storage: Store your Client Secret securely (environment variables, secure vault)
• HTTPS only: Always use HTTPS for your webhook endpoints

• ❌ Not sorting JSON keys before hashing (order matters!)
• ❌ Using wrong hash algorithm (must use SHA-256 for body, SHA-512 for signature)
• ❌ Wrong separator in string to sign (must use :, not _ or -)
• ❌ Using API Key instead of Client Secret
• ❌ Not preserving raw request body (parsing JSON before validation)
• ❌ Using simple string comparison instead of constant-time comparison
• ❌ Wrong order in string to sign (must be: METHOD:ENDPOINT:TOKEN:HASH:TIMESTAMP)
• ❌ Forgetting to extract Bearer token from Authorization header
• ❌ Not including query parameters in endpoint path
• ❌ Processing webhook without validating signature first

​Response Requirements

Your webhook endpoint must return an appropriate HTTP response:

​Success Response

When the webhook is processed successfully:

Status Code: 200 OK

{
  "status": "success"
}

​Error Responses

Invalid Signature (401 Unauthorized):

{
  "status": "error",
  "message": "Invalid signature"
}

Processing Error (500 Internal Server Error):

{
  "status": "error",
  "message": "Failed to process webhook"
}

Important: Singa Payment Gateway will retry failed webhooks (non-200 responses) up to 3 times with exponential backoff.

​Product Expiration Specific Notes

​Optional Webhook

This webhook is completely optional. If you don’t configure a product_expiration_notif_url, no webhooks will be sent for product expirations. Your payment products will still expire normally and change status accordingly - this webhook only serves as a notification mechanism.

When to use this webhook:

• Automated cleanup of expired products from your system
• Send notifications to customers about expired payment links/VAs
• Generate reports on product expiration patterns
• Trigger automated processes (e.g., resend payment links, create new VAs)
• Monitor product lifecycle and usage efficiency
• Alert operations team about high expiration rates

When you can skip this webhook:

• You check product status via API on-demand
• You don’t need automated expiration notifications
• Manual monitoring is sufficient for your use case
• You prefer to poll for status changes

​Batch Notification

This webhook is unique - it sends batch notifications containing multiple expired products in a single webhook call:

• Multiple product types: Can include Payment Links, Virtual Accounts, and QRIS in one webhook
• Multiple items per type: Each array can contain many expired products
• Scheduled execution: Triggered by system cron job (not real-time)
• Efficient: Reduces webhook calls by batching expirations

Example scenarios:

// Scenario 1: Only VAs expired
{
  "data": {
    "payment_links": [],  // Empty
    "virtual_accounts": [/* 10 expired VAs */],
    "qris_transactions": []  // Empty
  },
  "summary": {
    "total_expired": 10,
    "virtual_accounts_count": 10
  }
}

// Scenario 2: Mixed expired products
{
  "data": {
    "payment_links": [/* 3 expired PLs */],
    "virtual_accounts": [/* 5 expired VAs */],
    "qris_transactions": [/* 2 expired QRIS */]
  },
  "summary": {
    "total_expired": 10,
    "payment_links_count": 3,
    "virtual_accounts_count": 5,
    "qris_transactions_count": 2
  }
}

​Processing Batch Webhooks

When handling batch notifications, iterate through each product type:

$payload = json_decode($requestBody, true);

// Process expired payment links
foreach ($payload['data']['payment_links'] as $paymentLink) {
    $id = $paymentLink['id'];
    $reffNo = $paymentLink['reff_no'];
    $title = $paymentLink['title'];

    // Update your database
    updatePaymentLinkStatus($id, 'expired');

    // Notify customer
    notifyCustomerPaymentLinkExpired($reffNo, $title);

    // Log for analytics
    logExpiration('payment_link', $id);
}

// Process expired virtual accounts
foreach ($payload['data']['virtual_accounts'] as $va) {
    $id = $va['id'];
    $vaNumber = $va['virtual_account_number'];

    // Update your database
    updateVAStatus($id, 'expired');

    // Archive VA number
    archiveVirtualAccount($vaNumber);

    // Log for analytics
    logExpiration('virtual_account', $id);
}

// Process expired QRIS transactions
foreach ($payload['data']['qris_transactions'] as $qris) {
    $id = $qris['id'];
    $nmid = $qris['nmid'];

    // Update your database
    updateQrisStatus($id, 'expired');

    // Log for analytics
    logExpiration('qris', $id);
}

// Use summary for quick stats
$totalExpired = $payload['summary']['total_expired'];
if ($totalExpired > 100) {
    alertHighExpirationRate($totalExpired);
}

​Product Types Included

The webhook can contain three types of expired products:

1. Payment Links (data.payment_links)

   • Products: Payment link pages
   • Fields: id, reff_no, title, status, expired_at
   • Use case: Resend new payment links to customers

2. Virtual Accounts (data.virtual_accounts)

   • Products: Temporary and permanent VAs
   • Fields: id, reff_no, virtual_account_number, status, expired_at
   • Use case: Clean up expired VA numbers, notify customers

3. QRIS Transactions (data.qris_transactions)

   • Products: QRIS payment transactions
   • Fields: id, reff_no, nmid, status, expired_at
   • Use case: Track QRIS transaction lifecycle

​Simplified Data Structure

Note: The webhook sends minimal data for each expired product to keep the payload size manageable for batch notifications. The following fields are NOT included:

• ❌ Amount/value
• ❌ Currency
• ❌ Payment URL (for payment links)
• ❌ Usage counts (for payment links)
• ❌ Bank code (for VAs)
• ❌ QR string (for QRIS)
• ❌ Created/updated timestamps

If you need complete product details, use the product’s id or reff_no to query via API.

​Timestamp Format

Important: This webhook uses human-readable timestamp format, not Unix timestamps:

• Format: d M Y H:i:s (e.g., “26 Dec 2025 14:00:00”)
• Timezone: Server timezone (typically Asia/Jakarta / WIB)
• Fields using this format:
  • timestamp (root level)
  • expired_at (for each product)

Parsing timestamps:

// PHP
$timestamp = $payload['timestamp']; // "26 Dec 2025 14:00:00"
$date = DateTime::createFromFormat('d M Y H:i:s', $timestamp);

// Or use Carbon (Laravel)
$date = \Carbon\Carbon::createFromFormat('d M Y H:i:s', $timestamp);

# Python
from datetime import datetime

timestamp = payload['timestamp']  # "26 Dec 2025 14:00:00"
date = datetime.strptime(timestamp, '%d %b %Y %H:%M:%S')

// JavaScript
const timestamp = payload.timestamp; // "26 Dec 2025 14:00:00"
const date = new Date(timestamp);

​Access Token Format

The Authorization header contains a randomly generated token, not a user access token:

// This is NOT a user JWT token - it's a random string
Authorization: Bearer a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Why random?

• This webhook is triggered by the system’s scheduled cron job (not by a user API call)
• There’s no user session or JWT token to include
• The random token is generated using Str::random(32) for each webhook

For signature validation:

• Extract the token from the header normally
• Use it in the string to sign
• The signature will still be valid because it’s signed with your client secret

​Idempotency

Use unique reference numbers to prevent duplicate processing:

// Generate unique webhook identifier
$webhookId = $payload['event'] . '_' . $payload['merchant']['id'] . '_' . strtotime($payload['timestamp']);

// Check if already processed
if (isWebhookProcessed($webhookId)) {
    // Already processed, return success without re-processing
    return http_response_code(200);
}

// Process webhook
processExpirationBatch($payload);

// Mark as processed
markWebhookProcessed($webhookId);

​Summary Statistics

Use the summary object for quick stats and alerting:

$summary = $payload['summary'];

// Log batch statistics
logExpirationBatch([
    'total' => $summary['total_expired'],
    'payment_links' => $summary['payment_links_count'],
    'vas' => $summary['virtual_accounts_count'],
    'qris' => $summary['qris_transactions_count'],
    'timestamp' => $payload['timestamp']
]);

// Alert on high expiration rates
if ($summary['total_expired'] > 50) {
    sendAlert("High expiration rate: {$summary['total_expired']} products expired");
}

// Track expiration patterns
if ($summary['payment_links_count'] > $summary['total_expired'] * 0.7) {
    // More than 70% are payment links
    alertTeam("Most expirations are payment links - review link expiration settings");
}

​Error Handling

Handle cases where arrays might be empty:

// Check if any products expired
if ($payload['summary']['total_expired'] === 0) {
    // No products expired (shouldn't normally happen, but be safe)
    return http_response_code(200);
}

// Check each product type before processing
if (!empty($payload['data']['payment_links'])) {
    processExpiredPaymentLinks($payload['data']['payment_links']);
}

if (!empty($payload['data']['virtual_accounts'])) {
    processExpiredVirtualAccounts($payload['data']['virtual_accounts']);
}

if (!empty($payload['data']['qris_transactions'])) {
    processExpiredQrisTransactions($payload['data']['qris_transactions']);
}

​Scheduling and Timing

When does this webhook fire?

• Triggered by system cron job (scheduled task)
• Typically runs hourly or daily (check with Singa support for exact schedule)
• Not real-time - there may be a delay between expiration and notification
• Batches all products that expired since last check

Important: Don’t rely on this webhook for real-time expiration detection. If you need immediate expiration handling, poll product status via API or use individual product webhooks.

​Use Cases

1. Automated Product Cleanup:

// Archive expired products to historical table
foreach ($payload['data']['virtual_accounts'] as $va) {
    archiveExpiredVA($va['id'], $va['expired_at']);
    deleteFromActiveVAs($va['id']);
}

2. Customer Re-engagement:

// Send follow-up for expired payment links
foreach ($payload['data']['payment_links'] as $pl) {
    $customer = getCustomerByPaymentLink($pl['reff_no']);
    if ($customer) {
        sendEmail($customer->email, "Your payment link expired. Here's a new one!");
        createNewPaymentLink($customer);
    }
}

3. Analytics and Reporting:

// Track expiration patterns
generateExpirationReport([
    'date' => $payload['timestamp'],
    'total' => $payload['summary']['total_expired'],
    'by_type' => [
        'payment_links' => $payload['summary']['payment_links_count'],
        'virtual_accounts' => $payload['summary']['virtual_accounts_count'],
        'qris' => $payload['summary']['qris_transactions_count'],
    ]
]);

4. Operations Monitoring:

// Alert on unusual patterns
$summary = $payload['summary'];
if ($summary['total_expired'] > historicalAverage() * 2) {
    alertOperations("Expiration rate 2x above average - investigate!");
}