Webhook for Payout Requests
Overview
Tylt provides a webhook mechanism for merchants to receive real-time updates on the status of their payout requests, Merchants can specify a callBackUrl by navigating to the Bulk Payouts> Add Callback URL on the Tylt Application.
Webhook updates are triggered for each change in state of an individual payout request, not for the overall payout instance.
To track the status or updates of a payout instance, please use the appropriate API endpoint provided below
Setting Up the Webhook
Implement a Callback Endpoint: Merchants must set up an HTTP POST endpoint that can receive JSON payloads. This endpoint should be capable of processing the incoming webhook data and verifying its authenticity using HMAC-SHA256 signature validation.
Status Updates: The life cycle of a payment instance is tracked via
event. Below is the list of possibleeventvalues and their meanings:
created
Payout request created
initiated
Payout request has been initiated and awaiting further processing
processing
Payout request is being processed. Transaction is currently in progress and being handled by the system.
pending
Payout request has completed processing and is awaiting status confirmation
completed
Payout request has completed processing successfully and the UTR confirmation is returned.
failed
Payout request could not be processed and the transaction failed.
deleted
Payout deleted
Callback Validation: To ensure the integrity and authenticity of the callback, Tylt signs each callback payload using HMAC-SHA256 with the merchant’s API secret key. This signature is sent in the HTTP header
X-TLP-SIGNATURE.Acknowledge the Callback: Upon receiving the callback, merchants must respond with an HTTP 200 status code and the text
"ok"in the response body. This acknowledges the successful receipt of the callback. If the acknowledgment is not received, the webhook will not be retried automatically. Merchants can manually resend webhooks from their Tylt dashboard.
Validating Callbacks
Merchants should validate the HMAC signature included in the X-TLP-SIGNATURE header to ensure the callback is from Tylt and has not been tampered with. The HMAC signature is generated using the raw POST data and the MERCHANT_API_SECRET as the shared key.
Example Web-hook Handling Code
const express = require('express');
const crypto = require('crypto');
const app = express();
const PORT = 3000;
const apiSecretKey = 'YOUR_TLP_API_SECRET_KEY'; // Replace with your actual API secret key
// Middleware to parse incoming JSON requests
app.use(express.json());
// Callback endpoint
app.post('/callback', (req, res) => {
const data = req.body;
// Calculate HMAC signature
const tlpSignature = req.headers['x-tlp-signature'];
const calculatedHmac = crypto
.createHmac('sha256', apiSecretKey)
.update(JSON.stringify(data)) // Use raw body string for HMAC calculation
.digest('hex');
if (calculatedHmac === tlpSignature) {
// Signature is valid
// Process pay-out data here
// Return HTTP Response 200 with content "ok"
res.status(200).send('ok');
} else {
// Invalid HMAC signature
res.status(400).send('Invalid HMAC signature');
}
});
// Start the server
app.listen(PORT, () => {
console.log(`Server listening on port ${PORT}`);
});
Again, please note that these code snippets serve as examples and may require modifications based on your specific implementation and framework.
Example of Web-hook Responses
{
"utr": null,
"event": "created",
"amount": 100,
"createdAt": "2025-07-11T09:55:16Z",
"feeAmount": 0.03,
"requestId": "6fe4513b-20c9-484c-b18c-34abf92b40a2",
"secretKey": "4f3d34b6f2c86fe9b223bdd69a497f443a1f67637c29ef8bb9ef5d1c4ab17482",
"updatedAt": "2025-07-11T09:55:21Z",
"cryptoAmount": 1.16,
"merchantRefId": "merchant-ref-test",
"beneficiaryIFSC": "SBIN0001895",
"beneficiaryName": "Akshat Agarwal",
"fiatCurrencySymbol": "INR",
"cryptoCurrencySymbol": "USDT",
"beneficiaryAccountNumber": "38556507709"
}Last updated