The Source of Truth
Important: Do not use the frontendonSuccess callback as the trigger to fulfill orders. Frontend state can be manipulated. Always rely on Webhooks as the final source of truth.
Registering your Webhook
Set yourwebhookUrl and webhookSecret in the Surge Merchant Dashboard under Settings → Webhooks.
Security
Surge signs every outbound webhook with an HMAC-SHA256 signature in theX-Surge-Signature header. Verify this against your webhook_secret before processing any event.
Outbound Events (Surge → Your Server)
These are the events Surge sends to your registeredwebhookUrl.
payment.success
Fires when the customer pays the initial deposit and the installment plan is activated.
payment.failed
Fires when a deposit or installment charge attempt fails (e.g. insufficient funds, expired card).
payment_plan.installment_paid
Fires each time the Auto-Debit engine successfully collects a scheduled installment. Also emitted as installment.paid — both are identical events with different names for compatibility.
You receive
payment.success once when the plan is created, and one payment_plan.installment_paid event for each subsequent installment collected.goods.release
Fires when the merchant’s configured release rule is satisfied — typically after the deposit is paid. This is the trigger to ship physical goods or unlock digital access.
debit.scheduled
Fires when an auto-debit job is registered for a future installment.
transfer.success
Fires when a merchant payout (settlement transfer) to your registered bank account completes successfully.
Fulfillment Trigger
When your server receivesgoods.release or payment.success (and the signature is valid):
- Mark the order as Paid in your database.
- Trigger the release or shipping of physical or digital goods to the customer.
Return a
200 OK immediately and process fulfillment asynchronously to avoid timeout-based retries from Surge.Inbound Events (Paystack → Surge)
This section describes Surge’s internal infrastructure — you do not need to configure, call, or handle any of these endpoints. They are listed here for transparency only.
POST /api/v1/webhooks/paystack
Used internally by Surge to receive Paystack charge and transfer events. Surge validates every inbound Paystack event using HMAC-SHA512 (Paystack’s standard signing algorithm).
POST /api/v1/webhooks/payment-gateway
Used internally by Surge to handle payment method revocation events from Paystack (authorization.revoked, mandate.cancelled, etc.). When Surge receives a revocation, it deactivates the customer’s payment method and recalculates their Surge Score automatically.
Testing Your Webhook
You can send a signed test event to your configured endpoint directly from the API:delivered is false and an error field describes the failure.