Operation Notification

Ottu’s operation webhooks provide real-time insights into post-transaction activities, specifically focusing on refund, capture, and void. Operating asynchronously, they ensure merchants are promptly informed about these crucial subsequent payment gateway operations without disrupting the main transaction flow. By utilizing these webhooks, merchants gain a clearer view of their transactional landscape, enhancing decision-making and customer interactions.

Setup

To ensure you receive notifications for subsequent payment gateway operations, it’s essential to configure the operation webhooks correctly. Here’s a brief guide on setting it up:

1. Webhook URL Configuration:
   There are two ways to configure webhook_url for operations

• Configuring the operation webhook_url within webhook general configuration. For more details, click here.
• Configuring the operation webhook_url through payment webhook plugin configuration. For further information, click here.

2. Enable API-initiated Transaction Notifications:
   If you want to receive webhook notifications for transactions initiated via the API, ensure you check the box labeled “Enable webhook notifications if transaction initiated from API.” For instructions on how to do this, please consult the following reference.
3. Webhook Configuration Details:
   For a more in-depth understanding and additional configuration options, refer to the dedicated webhook config section in the documentation.
4. Webhook Setup Requirements:
   It’s worth noting that the requirements for setting up operation webhooks align with those detailed in the “webhooks overview” page. Ensure you’re familiar with these requirements to guarantee a smooth setup process. For details on these requirements, click here.

By following these steps and ensuring your webhook is correctly configured, you’ll be well-equipped to receive timely updates on all your payment gateway operations.

Params

oneOf

object

 detailstringrequired

Provides a message associated with the operation, suitable for displaying to the end user.

 operationstringrequired

Specifies the executed operation. It can be either delete, cancel, or expire.

• refund - Refund
• void - Void
• capture - Capture
• delete - Delete
• cancel - Cancel
• expire - Expire

Possible values: [refund, void, capture, delete, cancel, expire]

 resultstringrequired

Indicates the outcome of the operation. success denotes a successful operation.

• success - Success
• failed - Failed

Possible values: [success, failed]

object

 amountstringrequired

The specific amount for which the operation was performed.

 extra

The extra information for the payment details, which the merchant has sent it in key value form.

 initiator object

If the operation was performed using Basic Auth (and not an API Key), this field contains the details of the initiator who started the operation.

 emailstring<email>required

Possible values: <= 254 characters

 first_namestring

Possible values: <= 32 characters

 idintegerrequired

 last_namestring

Possible values: <= 32 characters

 phonePhone number (string)

Possible values: <= 128 characters

 usernamestringrequired

Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.

Possible values: <= 150 characters, Value must match regular expression ^[\w.@+-]+$

 is_sandboxIs Sandbox? (boolean)

Indicates whether the operation was performed in a test environment or not.

 operationstringrequired

Identifies the operation that was executed.

Possible values: [capture, refund, void]

 order_nostringrequired

The 'order_no' field indicates the unique order number of the parent transaction. This identifier is crucial for tracking and managing the related order within its entire lifecycle.

 pg_codestring

Represents the pg_code of the Payment Gateway settings which was used to perform the operation.

 pg_params objectrequired

Normalized payment gateway response parameters. Ottu maps varied PG responses into these fixed fields, so you can interpret payment results consistently regardless of which gateway processed the transaction. Use these fields instead of parsing the raw gateway_response object.

 auth_code

Authorization code returned by the payment gateway for the transaction.

 card_details

Additional card details object as returned by the payment gateway.

 card_expiry

Card expiry date in a gateway-specific format.

 card_expiry_month

Expiry month of the card (e.g., "01", "12").

 card_expiry_year

Expiry year of the card (e.g., "2025", "25").

 card_holder

Full name of the cardholder as provided by the payment gateway.

 card_issuer

The issuing bank or financial institution of the card.

 card_number

Masked card number (PAN) used for the transaction (e.g., "411111******1111").

 card_type

The type of card used (e.g., "credit", "debit", "prepaid").

 cardholder_email

Email address of the cardholder, if provided by the payment gateway.

 dcc_payer_amount

The amount in the payer's currency when Dynamic Currency Conversion (DCC) is applied.

 dcc_payer_currency

The payer's local currency code when DCC is applied (e.g., "USD", "EUR").

 dcc_payer_exchange_rate

The exchange rate applied for DCC conversion.

 decision

The gateway's final decision on the transaction (e.g., "ACCEPT", "REJECT", "REVIEW").

 full_card_expiry

Full card expiry in MM/YY or MM/YYYY format, as returned by the gateway.

 payment_id

Payment identifier from the payment gateway, used for tracking and reconciliation.

 pg_message

Human-readable message from the payment gateway describing the transaction outcome.

 post_date

The date the transaction was posted/settled by the payment gateway.

 receipt_no

Receipt number generated by the payment gateway for the transaction.

 ref

Gateway-specific reference identifier for the transaction.

 result

The normalized transaction result from the payment gateway (e.g., "CAPTURED", "APPROVED", "DECLINED").

 rrn

Retrieval Reference Number — a unique identifier used for transaction lookups and dispute resolution.

 track_id

Tracking identifier assigned by the payment gateway for reconciliation.

 transaction_id

Unique transaction identifier assigned by the payment gateway.

 transaction_no

Transaction number assigned by the gateway, often different from transaction_id.

 pg_response objectrequired

Contains the raw response from the payment gateway (PG) for the operation (pg_response). It will always be a valid JSON.

 property name*any

Contains the raw response from the payment gateway (PG) for the operation (pg_response). It will always be a valid JSON.

 reference_numberstringrequired

A unique reference_number assigned by Ottu for the performed operation. It's also sent to the PG and can be used as a reconciliation parameter.

 resultstringrequired

The result of the operation - whether it was successful or not.

Possible values: [success, failed]

 session_idstringrequired

The session ID of the parent transaction will be included in the webhook payload. This session ID is crucial for associating the webhook event with the original transaction, allowing for accurate tracking and processing.

 signaturestringrequired

Signature Field: A cryptographic hash used to guarantee data integrity and authenticity during client-server exchanges. This hash ensures that the API payload has not been tampered with, and can only be verified by authorized parties.

 sourcestringrequired

Can have one of two values - input or pg. If input, it means the operation was performed in an API call triggered by the merchant. If pg, it means the operation was done on the PG management dashboard, and the PG notified Ottu via webhook. The pg value will always be notified to the webhook, never in an API call.

Possible values: [input, pg]

 successbooleanrequired

Indicates whether the operation was successful or not (success=True or success=False).

 timestamp_utcstring<date-time>required

Specifies the time when the operation was performed, in the UTC timezone.

 txn objectrequired

Every operation results in the creation of a payment transaction (txn), which is a child of the payment transaction against which the operation is performed. This child transaction holds all the details of the operation.

 amountstringrequired

 currency_codestringrequired

The specified currency represents the denomination of the transaction.Nevertheless, it doesn't necessarily mandate payment in this exact currency.Due to potential currency conversions or exchanges, the final charge may be in a different currency.

Possible values: >= 3 characters and <= 3 characters

 order_nostring | nullnullable

The unique identifier assigned to this payment transaction. It is used for tracking purposes and is set by the merchant or the system.

Possible values: <= 128 characters

 session_idstring

A unique identifier for each payment transaction, used to maintain the session state during the payment process.

Possible values: <= 128 characters

 statestring

The current state of the payment transaction, it helps to understand the progress of the payment.

• paid - paid
• refunded - refunded
• refund_queued - refund_queued
• refund_rejected - refund_rejected
• voided - voided

Possible values: [paid, refunded, refund_queued, refund_rejected, voided]

Event Types

Operation webhooks are activated under the following scenarios:

1. Ottu Dashboard Trigger: When a payment operation (refund, void, or capture) is initiated directly from the Ottu dashboard, the system will automatically send a webhook notification to the subscriber’s registered endpoint.
2. REST API Trigger: If a payment operation is executed via Ottu’s REST API, external operations API, the webhook system will again ensure that a notification is dispatched to the subscriber’s endpoint. This ensures that even automated or system-driven operations are communicated in real-time.
3. Payment Gateway Dashboard Trigger: Some Payment Gateways (PG) have their own webhook systems in place. If a payment operation is performed on the Payment Gateway’s dashboard and that PG has enabled webhooks, it will notify Ottu. Ottu, in turn, will relay this information to the subscriber by triggering the operation webhook. This cascading notification ensures that even if operations are performed outside of Ottu’s immediate ecosystem, subscribers remain in the loop. To access further details regarding the available operations for each payment gateway, please click here.

Payload example (refund)

{
   "amount":"9.000",
   "initiator":{
      "email":"[email protected]",
      "first_name":"example",
      "id":35,
      "last_name":"",
      "phone":"",
      "username":"username_example"
   },
   "is_sandbox":true,
   "operation":null,
   "order_no":"Y3ODg",
   "pg_code":"credit-card",
   "pg_response":{
      "It will contain the raw pg response sent by the pg to Ottu"
   },
   "reference_number":"staging4AQ64A",
   "result":"success",
   "session_id":"bb7fc280827c2f177a9690299cfefa4128dbbd60",
   "signature":"65f655d2161*************",
   "source":"input",
   "success":true,
   "timestamp_utc":"2023-11-02 09:02:06",
   "txn":{
      "amount":"9.000",
      "currency_code":"KWD",
      "order_no":"",
      "session_id":"43ae8773f2c61f2ef41e3024e3b8f8bf45667d44",
      "state":"refunded"
   }
}

Acknowledging an Operation

Upon receiving an operation notification, it’s essential to discern and acknowledge the operation’s status and specifics. Here’s a guide on how to interpret the provided details:

Identifying the Transaction:
Every operation is a subsequent action performed on a specific payment transaction, identifiable by its session_id or order_no. These operations spawn child payment transactions, each with its distinct payment attempt and state, without altering the primary transaction. The child transaction details are housed in the txn field of the webhook payload. You can retrieve all child transactions from the Payment webhook under the transactions parameter or by invoking the Payment Status API.

1. Types of Operations:

• Real-time Operations: Immediate actions where, for instance, a refund request results in an instant refund. Child transactions are created for successful real-time operations, while failures aren’t stored.
• Queued Operations: The Payment Gateway (PG) might not approve the request instantly, placing it in a queue for later processing. Such operations initially bear a <operation>_queued state. Once processed, the state either transitions to the specific operation state (like refunded, captured, voided) or <operation>_rejected.

2. Understanding Real-time and Queued Payment Gateways:To determine which Payment Gateways operate in real-time and which ones use the queued system, you can consult the list provided here.
3. Additional Information: Upon receiving a <operation>_queued status, such as refund_queued, it’s imperative to archive this response. Ottu will subsequently notify the operation webhook URL with the conclusive result.
4. Understanding the result Field: result this field elucidates the operation’s outcome:

• success: The operation was executed successfully.
• rejected: The operation was declined. This status invariably succeeds a queued status.
• queued: The operation awaits processing and will be updated in due course.

5. Verifying the Amount: As operations exclusively function in the original payment transaction currency, inspecting the amount field ensures the accurate amount is either deducted or appended.
6. Interpreting the Transaction State (Optional): The transaction’s state can be discerned using the txn.state field:

• txn.state = paid: The transaction was captured.
• txn.refunded: The transaction was refunded.
• txn.refund_queued: The refund operation is pending.
• txn.refund_rejected: The refund operation was declined.
• txn.voided: The transaction was voided.

By accurately interpreting these fields and states, you can ensure precise acknowledgment of all your subsequent payment operations.

7. Verifying the Signature

Every operation webhook payload includes a signature field — an HMAC-SHA256 hash that proves the payload came from Ottu. Always verify this signature before processing the operation result.

For implementation details and code examples, see Verify Signatures.

danger

Never process an operation webhook without verifying the signature. An unverified payload could be forged by an attacker.

For general webhook setup and configuration, see the Webhooks Overview.

What's Next?

• PG Params — Normalized gateway response fields reference
• Payment Events — Webhook notifications for payment transactions
• Verify Signatures — Validate webhook authenticity with HMAC-SHA256
• Webhooks Overview — Setup, delivery guarantees, and configuration