Logo

Payment

API Documentation

Back to updates
NewJun 16, 2026

Withdraw verify — second layer for withdrawals

Two-layer (second) verification for withdrawals — before a withdrawal is created, your backend must confirm it via webhook and return 200.

Workflow

Caller

Caller requests a withdrawal

POST /v1/withdrawal/createRequest

Platform

Platform sends a verify webhook to your backend

event WITHDRAWAL_VERIFY

Merchant

Merchant verifies the signature and replies 200 / non-2xx

merchant returns 200

Platform

Reserve balance & create the withdrawal (PENDING)

later

Result

Final result webhook — WITHDRAWAL_COMPLETED / REJECTED

Examples

WITHDRAWAL_VERIFY webhook
{
"event": "WITHDRAWAL_VERIFY",
"type": "FIAT",
"request_id": "verify_ORDER-DEMO-00111",
"data": {
"order_id": "ORDER-DEMO-00111",
"amount": 311,
"currency": "THB",
"withdrawal_address": "9999999999",
"receiver_bank": "SCB",
"receiver_name": "MR. John Snow",
"agent_id": "d272d889-886f-41ba-98cf-52d55c1fbe21"
}
}
Verify the signature (Node.js)
const ts = req.header('x-timestamp')
const sig = req.header('x-signature')
// sign only the inner "data" object
const signingString = `${ts}.${JSON.stringify(req.body.data)}`
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.WPAY_VERIFY_SECRET)
.update(signingString)
.digest('hex')
if (expected !== sig) return res.sendStatus(401)
return res.status(200).json({ ok: true }) // approve

Overview

Working flow:

1. A caller creates a withdrawal — POST /v1/withdrawal/createRequest. Nothing is reserved yet.

2. The platform sends a WITHDRAWAL_VERIFY webhook (event) to your backend with the order details.

3. Your backend verifies the x-signature (HMAC-SHA256 over the data object) and checks the order/amount.

4. Only when you return HTTP 200 does the platform reserve balance and create the withdrawal (PENDING). Any other status — or a timeout — rejects it (fail-closed).

5. After the transfer settles, a WITHDRAWAL_COMPLETED / WITHDRAWAL_REJECTED webhook reports the final result.

What changed

  • AddedNew App Secret Verify (HMAC) and Automatic Approve Withdrawal controls on the API Key & Webhook page.
  • AddedWITHDRAWAL_VERIFY webhook sent before a withdrawal is created; reply 200 to approve, non-2xx to reject (10s timeout, fail-closed).
  • AddedSignature is HMAC-SHA256 over "{x-timestamp}.{JSON of data}" using the generated secret — verify against the x-signature header.
View full documentation