Developers

Integrate HashPrism payments into your workflow. Receive real-time event notifications via webhooks, query payment data through the API, and automate your fulfillment pipeline.

Webhooks Events Signature Verification API Reference Solana Blinks

Webhooks

HashPrism sends signed HTTP POST requests to your endpoint when payment and refund events occur. Use webhooks to trigger fulfillment, update your database, send buyer receipts, or integrate with third-party services.

Setup

Go to Dashboard → Settings → Webhooks
Add your HTTPS endpoint URL (up to 5 endpoints per account)
Copy the webhook secret shown at creation — it is only displayed once
Use the Test button to send a sample payload and verify your endpoint is receiving correctly

Request Format

Every webhook request is a POST with the following headers:

Content-Type: application/json

X-HashPrism-Event: payment.confirmed

X-HashPrism-Signature: HMAC-SHA256 hex digest of the raw body

Retry Behavior

HashPrism attempts delivery up to 3 times per event with exponential backoff (immediate, 1 second, 2 seconds). Your endpoint should return a 2xx status within 10 seconds. If all 3 attempts fail, the failure is logged in Dashboard → Settings → Webhooks but the event is not re-queued. Delivery status and HTTP response codes are available in the webhook events log.

Events

payment.confirmedFired when a payment transaction is verified on-chain

{
  "event": "payment.confirmed",
  "data": {
    "payment_id": "3f2a1c8e-...",
    "product_name": "My eBook",
    "product_slug": "my-ebook",
    "currency": "USDC",
    "amount_crypto": 9.99,
    "price_usd": 9.99,
    "tx_signature": "5yYZ1km..."
  },
  "timestamp": "2026-02-20T14:30:00.000Z"
}

refund.confirmedFired when a refund transaction is verified on-chain

{
  "event": "refund.confirmed",
  "data": {
    "refund_id": "9c4b2d1a-...",
    "payment_id": "3f2a1c8e-...",
    "product_name": "My eBook",
    "product_slug": "my-ebook",
    "currency": "USDC",
    "amount_crypto": 9.99,
    "price_usd": 9.99,
    "tx_signature": "8aBC2zk..."
  },
  "timestamp": "2026-02-20T15:00:00.000Z"
}

testSent when you click the Test button in Settings

{
  "event": "test",
  "data": {
    "message": "HashPrism webhook test — your endpoint is working."
  },
  "timestamp": "2026-02-20T15:00:00.000Z"
}

Signature Verification

Every webhook request includes an X-HashPrism-Signature header containing an HMAC-SHA256 hex digest of the raw request body, signed with your webhook secret. Always verify this before processing a payload.

Node.js

import crypto from 'crypto'

export async function POST(req: Request) {
  const rawBody = await req.text()
  const signature = req.headers.get('x-hashprism-signature')

  const expected = crypto
    .createHmac('sha256', process.env.WEBHOOK_SECRET!)
    .update(rawBody)
    .digest('hex')

  if (signature !== expected) {
    return new Response('Unauthorized', { status: 401 })
  }

  const payload = JSON.parse(rawBody)

  if (payload.event === 'payment.confirmed') {
    // trigger your fulfillment logic here
  }

  return new Response('OK', { status: 200 })
}

Python

import hmac
import hashlib

def verify_webhook(raw_body: bytes, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(),
        raw_body,
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, signature)

Always use the raw request body bytes for HMAC computation — not a parsed or re-serialized version of the JSON. Parsing and re-serializing can change whitespace and key order, causing verification to fail.

API Reference

HashPrism exposes a REST API under /api/v1/. Most routes are public. Protected routes require a Supabase session cookie and are intended for creator-side automation.

Products

Method	Endpoint	Description
GET	/api/v1/products/[username]	List all products for a creator
GET	/api/v1/products/[username]/[slug]	Get a single product

Payments

Method	Endpoint	Description
POST	/api/v1/payments/create	Create payment + generate QR code
GET	/api/v1/payments/status?reference=	Poll payment status
GET	/api/v1/payments/solana?reference=	Transaction metadata (Solana Pay)
POST	/api/v1/payments/solana?reference=	Build payment transaction
POST	/api/v1/payments/expire	Send expiration email to buyer (called by checkout client on timeout)
DELETE	/api/v1/payments/delete?id=	Delete expired/failed payment (auth required)

Refunds

Method	Endpoint	Description
POST	/api/v1/refunds/create	Initiate refund (auth required)
GET	/api/v1/refunds/status?reference=	Poll refund status
GET	/api/v1/refunds/solana?reference=	Refund metadata
POST	/api/v1/refunds/solana?reference=	Build refund transaction

Rate Limits

POST /payments/create10 req / min per IP

GET /payments/status60 req / min per IP

POST /payments/expire10 req / min per IP

POST /refunds/create10 req / min per IP

GET /refunds/status60 req / min per IP

GET /refunds/solana20 req / min per IP

POST /refunds/solana10 req / min per IP

POST /contact5 req / hour per IP

Solana Blinks

Coming Soon

Solana Blinks (Blockchain Links) let buyers pay directly from X (Twitter), Discord, and any platform that supports the Solana Actions standard — without leaving the app. When you share a HashPrism product link, it unfurls into an interactive payment card.

Pay on X

Share a product link on X and followers can pay directly from the tweet card.

No redirect

Buyers sign the transaction in their connected wallet without leaving the platform.

Same webhooks

Blink payments fire the same payment.confirmed webhook — no integration changes needed.

HashPrism's existing Solana Pay endpoints are ~90% compatible with the Actions spec. Blinks support is on the near-term roadmap and will require no webhook changes when it ships.

Questions or integration help? contact us