Webhooks
Server-to-server callback endpoints currently present in the Fangate backend.
These are not creator-authenticated API endpoints. They are meant for payment providers and verification providers.
Payment provider webhooks
Confirmed live web routes:
| Endpoint | Method | Purpose |
|---|---|---|
/pwh/paypal | POST | PayPal payment callbacks |
/pwh/stripe | POST | Stripe payment callbacks |
/pwh/epoch | POST | Epoch payment callbacks |
/dataplus/epoch | POST | Epoch DataPlus callbacks |
Notes
- these endpoints are part of the web route surface, not
/api - they are server-to-server integration points
- frontend and partner clients should not call them directly
Verification webhooks
Confirmed live routes:
| Endpoint | Method | Purpose |
|---|---|---|
/api/yoti/webhook | POST | Buyer age-verification status callback |
/veriff/events | POST | Veriff event callback |
/veriff/decision | POST | Veriff decision callback |
/veriff/auto | POST | Veriff automated callback |
Notes
/api/yoti/webhookis part of the API route group- Veriff webhook routes are part of the web route surface
- public API consumers should treat these as provider-owned callbacks, not interactive client endpoints
Security expectations
Integrators operating webhook infrastructure should assume:
- HTTPS only
- provider-side signature or authenticity checks where available
- idempotent processing on duplicate callbacks
- quick acknowledgement with backend processing deferred where needed
Current public webhook surface for partners
No general Fangate outbound partner webhook system is confirmed in the current backend codebase.
If you are building an external integration and need:
- purchase-completed events
- payout-status events
- moderation events
- consent events
treat those as custom/integration work rather than part of the current public webhook contract.