Webhook - Payment Method Registered #

1. Webhook Overview #

Purpose #

This Webhook event is sent from the EBP system to the store when a user successfully registers a payment method (Card, Direct Debit, etc.).
Through this event, the store can verify the activation status of the payment method in real-time and proceed with subsequent processes to utilize the registered payment method for future payment requests.

Note: A registered URL is required to receive Webhooks. (Contact: ebp-server@lge.com)

Details #

Item	Value
Webhook Name	Payment Method Created
Event Type	`PAYMENT_METHOD_CREATED`	.md/.ㅡㅇ
HTTP Method	POST
Region	Global

2. Authentication #

All Webhook requests sent by the EBP system include the following headers for integrity verification. The store must validate these values to ensure the request is legitimate.

Header Name	Description
`x-webhook-signature`	HMAC-SHA256 signature used to verify the integrity of the Webhook message
`x-webhook-signature-timestamp`	Timestamp when the Webhook event was sent (Unix Epoch, seconds)

Signature Generation and Verification Rules #

The store should generate its own signature by combining the received Webhook body data and the timestamp header value, then compare it with the received x-webhook-signature value.

Input Message Composition: x-webhook-signature-timestamp header value + "." + original Request Body (JSON String)
Hashing: Hash the composed message using the HMAC-SHA256 algorithm and the Webhook Secret Key issued by EBP.
Encoding: Convert the hashing result into a Hex string (Hexadecimal).
Verification: Check if the generated Hex string matches the value in the x-webhook-signature header.

Verification Example (Java) #

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.HexFormat;

public class WebhookVerifier {
    private static final String HMAC_SHA256 = "HmacSHA256";

    /**
     * Webhook signature verification method
     *
     * @param secretKey     Webhook Secret Key issued by EBP
     * @param timestamp     Value of x-webhook-signature-timestamp header
     * @param requestBody   Received HTTP Request Body (JSON string)
     * @param receivedSig   Value of x-webhook-signature header
     * @return Whether the verification was successful
     */
    public boolean verifySignature(String secretKey, String timestamp, String requestBody, String receivedSig) {
        if (timestamp == null || receivedSig == null || secretKey == null || secretKey.isEmpty()) {
            return false;
        }

        try {
            String inputMessage = timestamp + "." + requestBody;
            
            Mac mac = Mac.getInstance(HMAC_SHA256);
            SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(StandardCharsets.UTF_8), HMAC_SHA256);
            mac.init(secretKeySpec);
            
            byte[] hashBytes = mac.doFinal(inputMessage.getBytes(StandardCharsets.UTF_8));
            String generatedSig = HexFormat.of().formatHex(hashBytes);
            
            return generatedSig.equalsIgnoreCase(receivedSig);
        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
            // log.error("Failed to verify EBP webhook signature", e);
            return false;
        }
    }
}

[!IMPORTANT]
The Webhook Secret Key must be issued through EBP. For inquiries, please contact ebp-server@lge.com. If signature verification fails, the request should be considered untrusted and ignored.

3. Data Schema #

3.1. Payload Data Schema #

depth	Field	Details & Description
-1	eventType	`string` 🔴 Required Event type e.g., PAYMENT_METHOD_CREATED
-1	eventTime	`string` 🔴 Required Timestamp when the event occurred e.g., 2026-01-27T04:40:00Z
-1	data	`object` 🔴 Required Detailed payment method registration data
0	userNo	`string≤ 500` 🔴 Required Unique number identifying the user e.g., TH1741850000100
0	paymentMethodId	`string` 🔴 Required Registered payment method ID e.g., 3e104ef7b98f4123948a8c248d0da4c5
0	status	`string` 🔴 Required Payment method status e.g., ACTIVE, ACTION_REQUIRED
0	paymentMethod	`string` 🔴 Required Registered payment method type e.g., CARD, DIRECT_DEBIT
0	resultCode	`string` 🔴 Required EBP result code ('0' for success) e.g., 0
0	resultMessage	`string` ⚪ Optional Result message (e.g., error reason) e.g., SUCCESS
0	pgProvider	`string` 🔴 Required Payment Gateway provider code e.g., WORLDPAY, OMISE

3.2. Payload Example #

{
  "eventType": "PAYMENT_METHOD_CREATED",
  "eventTime": "2026-01-27T04:40:00Z",
  "data": {
    "userNo": "TH1741850000100",
    "paymentMethodId": "3e104ef7b98f4123948a8c248d0da4c5",
    "status": "ACTIVE",
    "paymentMethod": "CARD",
    "resultCode": "0",
    "resultMessage": "SUCCESS",
    "pgProvider": "WORLDPAY"
  }
}