Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developers.ingopayments.com/llms.txt

Use this file to discover all available pages before exploring further.

Ingo Payments will post updates to the processing for events that take place related to anccillary payment activity. Ingo Payments will post asynchronous updates back to your designated webhook URL on specified status changes regarding the payment event. The posting data will be in JSON.

Event Categories

- Recipient Notification
- Party Authentication
- Recipient Verification
- Account Verification
- Account Tokenization
- Payment Returns
- Session Events

URL Setup

You will need to create and register your static webhook URL to receive webhook updates. The URL endpoint you create to receive webhook requests must be configured to support HTTPS using TLS1.2 or higher.
TLS 1.3 (suites in server-preferred order)
  • TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS 256
  • TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS 256
  • TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS 1.2 (suites in server-preferred order)
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS 256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH x25519 (eq. 3072 bits RSA) FS 256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS 128

IP Address Whitelisting

Please be sure to whitelist the following IP addresses listed below.
UAT Environment
  • 18.189.65.27
  • 23.253.209.42
  • 23.253.213.126
  • 23.253.22.48
  • 3.130.108.242
  • 3.134.254.69
  • 3.142.181.231
  • 104.130.74.57
Production Environment
  • 64.88.183.84
  • 50.56.42.59
  • 50.56.46.146
  • 50.57.62.142

Verifying webhook signatures

Every request includes an X-Ingo-Signature header. Verify it to confirm the payload came from Ingo and has not been tampered with. 
const crypto = require('crypto');

function verifyWebhook(rawBody, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(`sha256=${expected}`)
  );
}

// In your Express handler:
app.post('/webhooks/ingo', express.raw({ type: 'application/json' }), (req, res) => {
  const sig = req.headers['x-ingo-signature'];
  if (!verifyWebhook(req.body, sig, process.env.INGO_WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }

  const event = JSON.parse(req.body);
  // Handle event...
  res.sendStatus(200);
});

Testing webhooks locally

Use a tunnel tool like ngrok to expose your local server during development: