Support Services

Using Webhooks

What are Webhooks?

Webhooks are post back messages that CSG Forte sends to unique, server-side URL endpoints, which you define. You can then use these messages to verify information and perform tasks in your own system, such as

  • Ship merchandise to the customer when the transaction funds
  • Update invoicing applications when a customer payment posts
  • Maintain current customer and payment method information for Marketing collateral       
  • Record and track transactions that customers dispute

How Do I Configure Webhooks? 

Visit the help article Creating Webhooks for instructions on creating your Webhooks in Dex.

How are Webhooks triggered?

Webhook messages are triggered by transaction events. An event is simply an action that occurs during the progression of the transaction (i.e., from capture to processing). For example, when you use CSG Forte's REST API to create a sale transaction, three events occur:, customer.create, and paymethod.create. You can configure your webhooks to capture all the events of a transaction under a common event ID (e.g.,  evt_xxxxxx) or configure different webhooks to capture different combinations of events. This is referred to as subscribing to events. NOTE: Depending on how you configure your event subscriptions, the same data may be generated twice in separate webhooks. For example, a POST to the customer object that includes the creation of a payment method could (if subscribed) generate a customer webhook with both customer and payment method data as well as a paymethod webhook.

In the example described above, three events occur from a single sale transaction. To make managing the data easier, you could subscribe a single webhook to all three events, or create one webhook that captures customer and paymethod events and one webhook that captures transaction events. Each webhook could be used to connect to different information management systems (e.g., the customer/paymethod webhook could connect to a CRM application while the transaction webhook connects to an invoicing application).  

Why Should I Care About Webhooks?

Webhooks send postback messages to the merchant server, which is a more reliable and secure method of verifying transactions than real-time callbacks, which post to the client-facing application. Webhooks also offer superior error handling and fraud protection capabilities. As a best practice, CSG Forte recommends that merchants use webhooks to confirm that transaction information has posted to their accounts before fulfilling/completing the transactions (e.g., shipping merchandise to the customer). Webhooks can be used for both client-side and server-side functionality; however, webhooks can take as long as five minutes or more to post, which could result in a sluggish and less-than-desirable customer experience. If a webhook post fails (i.e., does not result in an HTTP 200 response), CSG Forte retries the webhook up to twenty times adding one minute for each retry. 

What CSG Forte Applications Use Webhooks?

The following CSG Forte products support  webhooks. 

  • CSG Forte Checkout     
  • CSG Forte REST API      
  • Dex

How Do I Authenticate Webhooks?

After providing the configuration information, CSG Forte Technical Support will send you a unique webhook_key for each webhook endpoint you define. You'll use this value to compute the signature parameter and authenticate the webhook by comparing it to the value in the X-Forte-Signature HTTP header. A signature comparison ensures the webhook came from CSG Forte and that no one tampered with the webhook payload. 

The signature parameter is computed with a hash-based message authentication code (HMAC) using a secret key (i.e., webhook_key) and a SHA256 digest algorithm:

HMACSHA256(webhook_url|payload|utc_time, webhook_key)


webhook_urlThe all-lowercase webhook URL. Requires the HTTPS URI scheme to protect privacy and data integrity.
payloadThe JSON contents of the webhook.
      "label":"Visa Credit Card - 1111",
         "name_on_card":"Joey JoJo Shabadoo",

utc_timeUTC time in ticks (since 01/01/0001 00:00:00) sent in the x-forte-utc-time header parameter.634094514514687490 
webhook_keyThe webhook key. This value is unique for each webhook endpoint that you define.AD6cNaWFoDla5VXqN2clfJjkGnCo6TNc 

The following signature formula example uses values that come from the examples displayed in the parameter table above.

HMACSHA256(|{ "location_id":"loc_115161", "event_id":"evt_o5bgfKnXbEKmPyp06-dZ3Q", 
"paymethod":{ "paymethod_token":"mth_jKxUPnIYTMq8iMqjp4CcsQ", "organization_id":"act_300005", "location_id":"loc_115161", 
"customer_token":"cst_9s7_JzBUT9eCnuW6Wkwcug", "label":"Visa Credit Card - 1111", "notes":"", "card":{ "name_on_card":"John Smith", 
"masked_account_number":"************1111", "expire_month":11, "expire_year":2020, "procurement_card":false, "card_type":"visa" }, 
"links":{ "self":"" } }, "source":"RESTAPI/3", 
"type":"payment.create", "environment":"live" }|634094514514687490, AD6cNaWFoDla5VXqN2clfJjkGnCo6TNc)

When put through the HMACSHA256 algorithm with the webhook secret key value of AD6cNaWFoDla5VXqN2clfJjkGnCo6TNc, the formula renders the following value:


If the webhook payload is secure and the webhook can be authenticated from CSG Forte, this signature value will match the value that is returned in the webhook's X-Forte-Signature HTTP header field: 

Accept: application/json
Content-Type: application/json
X-Request-Id: 7066f5f3-33a0-47a8-9f03-a0e94b4b2a5f
X-Forte-Utc-Tim: 634094514514687490
X-Forte-Signature: 30eaf51928aea79e67de3396578862254eeb4a8b0ae85550bdd7ae87c5708fb9

Credit Card Sale Transaction - Sample

The following payload example displays the headers and raw body content of a sample webhook. The value of the webhook_key parameter for this example is AD6cNaWFoDla5VXqN2clfJjkGnCo6TNc and the value of the webhook_url parameter is

NOTE: The provided sample is merely an example and not all-inclusive of the parameters listed in the transaction object of CSG Forte's REST API. The webhooks you receive will depend upon your webhook event configuration and the CSG Forte application you use to create the transaction.


Accept: application/json
Content-Type: application/json
X-Request-Id: 7066f5f3-33a0-47a8-9f03-a0e94b4b2a5f
X-Forte-Utc-Time: 634094514514687490
X-Forte-Signature: 08f2c97bfe283ffa17543eeea42b84a06d0a1ed757cd12938ab50dd3ffc6e7b9

Raw Body

  "organization_id": 300005,
          "street_line1":"500 W. Bethany Drive",
        "last_4_account_number": "1111",
       "response_desc":"TEST APPROVAL"
       "authorization_code": "1RN277",
       "avs_result": "Y",
       "cvv_result": "P"
  "event_id": "evt_AVt0yVCYgEWJjfkYCoLScQ",
  "source": "Console",
  "type": "",
  "environment": "sandbox"

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.