Skip to main content

Webhooks

This section gathers endpoints for managing notifications by the receiving PSP to the receiving end user.


Understanding the mTLS pattern

By Central Bank regulation, it will be necessary to insert an Efí public key into your server so that communication follows the mTLS standard. In the domain representing your server, you should configure the requirement of the public key (mTLS) that we are providing, so that mutual authentication occurs.

Efí will make 2 requests to your domain (server):

  1. First Request: We will ensure that your server is requiring an Efí public key. To do this, we will send a request without a certificate and your server should not accept the request. If your server responds with refusal, we will send the 2nd request.
  2. Second Request: Your server, which must contain the provided public key, should perform the "Hand-Shake" so that communication is established.

Your server must have a minimum TLS version of 1.2.

On your server, configure a 'POST' route with a default response as a string "200". Include our production or Sandbox certificate on your server, below are some examples.

Dedicated Servers

It is recommended that you have a dedicated server to be able to perform webhook configurations, as you need access to some files to make the configurations, as in the examples below.


Examples of server settings

To configure your server, you will need the Efí public keys. Below are the addresses of the keys for the Production and Sandbox environments. These keys must be downloaded and placed on your server.

AttributePublic Key URL
Productionhttps://certificados.efipay.com.br/webhooks/certificate-chain-prod.crt
Sandboxhttps://certificados.efipay.com.br/webhooks/certificate-chain-homolog.crt

The code snippets below aim to exemplify the necessary configurations on your server to perform the hand-shake with our servers.

from flask import Flask, jsonify, request
import ssl
import json
app = Flask(__name__)

@app.route("/", methods=["POST"])
def imprimir():
response = {"status": 200}
return jsonify(response)


@app.route("/pix", methods=["POST"])
def imprimirPix():
imprime = print(request.json)
data = request.json
with open('data.txt', 'a') as outfile:
outfile.write("\n")
json.dump(data, outfile)
return jsonify(imprime)

if __name__ == "__main__":
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations('caminho-certificados/certificado-público.crt')
context.load_cert_chain(
'caminho-certificados/server_ssl.crt.pem',
'caminho-certificados/server_ssl.key.pem')
app.run(ssl_context=context, host='0.0.0.0')
#Developed by the Technical Consulting Team at Efí

To have a valid SSL, you must contact a Certificate Authority and generate the private key server_ssl.key.pem and a public one server_ssl.crt.pem, thus validating the integrity of the connection. You can do this for free using a utility like Certbot, for example.

Skip-mTLS

For hosting on shared servers, there may be restrictions regarding the insertion of certificates generated by another entity, such as our CA, for example. Therefore, we provide the option to skip mTLS, which allows registering the webhook without the need for mTLS validation.

Attention!

It is important to note that we will always send the certificate in webhooks, whether in registration or in Pix notification. However, when skip-mTLS is used, you, the integrating party, are responsible for validating our certificate.

If you choose to use the skip mTLS attribute, that is, without mTLS validation on your server, you must implement measures to ensure that the sender of the webhooks to your server is indeed Efí.


We suggest the following two validation methods, but strongly recommend that you use them together:

  • Check the communication IP: You can restrict communication to the webhook domain to only accept messages from the IP used by Efí.
  • IP currently used in our communications: '34.193.116.226'.
  • Add a hash to the registered webhook URL: Create an hmac (a proprietary identifier) that will be appended to the end of the URL when registering the webhook. This hash will be used to validate the origin of the notification. Thus, all webhooks sent to your server will have this final identification and your application must validate its presence.
    Example:
    Original notification URL: https://your_domain.com.br/webhook
    How it should be registered with the hash: https://your_domain.com.br/webhook?hmac=xyz&ignorar=. The term ignorar= will serve to handle the addition of /pix at the end of the URL.

How to register skip-mTLS:

To configure the Pix webhook, you must use the specific endpoint and pass the parameter x-skip-mtls-checking in the request header with the value true or false depending on whether you want to enable or disable this feature.

The image below shows how this parameter should be provided:


Setting Pix Webhook

Endpoint for configuring the notification service for received Pix. Pix originating from static collections will only be notified if they are associated with a txid.

Reminder

A webhook URL can be associated with multiple Pix keys.

On the other hand, a Pix key can only be linked to a single webhook URL.


Information

When registering your webhook, we will send a test notification to the registered URL, however when a notification is actually sent, the path /pix will be added to the end of the registered URL. To avoid needing two distinct routes, you can add a ?ignorar= parameter to the end of the registered URL, so that /pix is not added to your URL route.


PUT /v2/webhook/:chave
Requires authorization for the scope: webhook.write


Request

{
"webhookUrl": "https://exemplo-pix/webhook"
}

Response

The Responses below represent Success(201) and consumption failures/errors.

Webhook for notifications about Pix received associated with a txid.

Get webhook information

Endpoint for retrieving information about the pix webhook .

GET /v2/webhook/:chave
Requires authorization for the scope: webhook.read


Response

The responses below represent Consumption Success(200).

{
"webhookUrl": "https://gn-pix-webhook.gerencianet.com.br/webhook/",
"chave": "40a0932d-1918-4eee-845d-35a2da1690dc",
"criacao": "2020-11-11T10:15:00.358Z"
}

Get list of webhooks

Endpoint to retrieve webhooks associated with keys through parameters such as inicio and fim. Attributes are entered as query params.

GET /v2/webhook
Requires authorization for the scope: webhook.read


Request

The snippet below shows how the inicio and fim parameters(mandatory) should be passed in the request.

/v2/webhook/?inicio=2020-10-22T16:01:35Z&fim=2020-10-23T16:01:35Z

Response

The responses below represent Success(200) and consumption failures/errors.

{
"parametros": {
"inicio": "2021-01-22T16:01:35.000Z",
"fim": "2022-12-30T16:01:35.000Z",
"paginacao": {
"paginaAtual": 0,
"itensPorPagina": 100,
"quantidadeDePaginas": 1,
"quantidadeTotalDeItens": 5
}
},
"webhooks": [
{
"webhookUrl": "https://seudominio.com.br/gn/webhook/",
"chave": "40a0932d-1618-4eee-845d-35a2da1590dc",
"criacao": "2021-05-05T19:52:13.000Z"
},
{
"webhookUrl": "https://.projetosseudominio.seudominio.com.br/gn/webhook/",
"chave": "40a0932d-1918-0eee-845d-35a2da1690dc",
"criacao": "2021-10-18T14:42:41.000Z"
},
{
"webhookUrl": "https://seudominio.com.br/webhook/?ignorar=",
"chave": "40a0032d-1918-45ee-845d-3562da1690dc",
"criacao": "2021-11-03T12:25:15.000Z"
}
]
}

Cancel Pix webhook

Endpoint for canceling the pix webhook.

DELETE /v2/webhook/:chave
Requires authorization for the scope: webhook.write


Response

The response below represents Success (204) of consumption.

Webhook for Pix notifications has been canceled.

Receiving Callbacks

This service is protected by a layer of mTLS authentication. Callbacks are sent by Efí via POST url-registered-webhook​/pix when there is a change in the Pix status.

Information

To test Pix Cob and Pix CobV charge endpoints in the sandbox environment, you can simulate all status changes returned by our API and webhook.

Charges with values between R$ 0.01 and R$ 10.00 are confirmed, and you will receive the information via webhook.
Charges with values above R$ 10.00 remain active, without confirmation, and there are no webhooks for these cases.


Request