Recipe

Set up a webhook endpoint

A production webhook endpoint needs five things: a public HTTPS URL, signature verification, a fast 2xx, async processing, and replay safety. Miss any one and delivery gets flaky.

2 min read

HTTPSPublic URL
VerifyThen act
Fast 2xxAsync work

Expose and register

Stand up a public HTTPS endpoint (Credicorp will not deliver to plain HTTP) and register it. In development, tunnel a local server to a public URL so you can receive real deliveries. The endpoint receives the signed events you subscribed to.

Verify, ack fast, process async

On each delivery: verify the signature over the raw body, enqueue the event, and return a 2xx immediately. Do the heavy work in a background job — a slow synchronous handler risks a timeout, which Credicorp reads as failure and retries, multiplying duplicates.

Make it replay-safe

Because delivery is at-least-once, de-duplicate on the event ID and process idempotently. Order by state, not arrival. Together these turn Credicorp's at-least-once delivery into exactly-once effect on your side.

Frequently asked questions

Can my webhook endpoint be HTTP?

No — it must be public HTTPS. Credicorp signs and delivers over TLS only. In development, tunnel your local server to a public HTTPS URL to receive real deliveries.

Why return 2xx before processing?

To avoid a timeout. Verify and enqueue synchronously, return 2xx, then process in the background. A slow handler triggers a retry, which just creates more duplicates for your idempotent consumer to absorb.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.