Help Center

Webhook is an automatic event notification sent by the Allpay system to an external URL.

When a payment is successfully completed, Allpay sends a POST request to the specified address. The request contains full payment details, including the buyer's name, the payment description, and the amount.

Developers and integrators use webhooks to:

• automatically trigger actions (e.g. activating an order or sending an email to the customer),
• synchronize data between systems,
• eliminate the need for manual payment status checks.

Even types

Currently, Allpay supports a webhook for one event only — successful payment.

For subscriptions, the webhook is automatically sent to the specified URL each month after a successful recurring charge.

Where to configure a webhook

A webhook is configured separately for each payment link or API integration:

1. Payment link — in the settings of that specific link. In this case, the webhook will be sent for every payment made via that link.
2. API integration — in the settings of a specific integration under the <span class="u-richtext-element">API Integrations</span> section. This allows you to receive webhooks for all payments processed through that integration — for example, from your site on WordPress, or another platform.

Allpay does not have a centralized webhook setting for all payments. This approach gives you flexible control over notifications across different channels.

Webhook request contents

Allpay sends a POST request to the specified URL. The request body is a JSON object containing parameters related to the event.

Example request

POST /c96zv6ri852dvppncccdg6fxkjnpwojg HTTP/2
Host: hook.eu2.make.com
accept: */*
content-type:application/json
content-length: 453

{
    "name": "Consultation",
    "items": [
        {
            "name": "Consultation",
            "price": 150,
            "qty": 2,
            "vat": "1"
        },
        {
            "name": "Clock",
            "price": 50,
            "qty": 1,
            "vat": "1"
        }
    ],
    "amount": "350",
    "status": 1,
    "client_name": "Tanur Mikrogalov",
    "client_email": "test@email.com",
    "client_tehudat": "123456789",
    "client_phone": "+972 58 569 8877",
    "foreign_card": "0",
    "card_mask": "455743******3431",
    "card_brand": "visa",
    "receipt": "",
    "inst": 1,
    "sign": "83f6fab69f7b237ee2db5d9993b84b5fe89ef722af6206a0ffe64480501f3784"
}

‍

Each payment for which a webhook was sent is marked with a corresponding label. By clicking on this label, you can view the full contents of the request.

add_field parameter

If you add <span class="u-richtext-element">?add_field=any-string</span> to the payment link URL, this parameter will be included in the Webhook request body. Learn more.

Webhook security

Allpay supports two methods for verifying the authenticity of webhook requests:

Verification using the Webhook secret key

This method relies on an HMAC signature based on the SHA256 algorithm.

Signature generation algorithm:

1. Remove the <span class="u-richtext-element">sign</span> parameter from the request.
2. Exclude all parameters with empty values.
3. Sort the remaining keys in alphabetical order.
4. From the sorted list, take the parameter values and join them into a single string using a colon (:) as a separator.
5. Append your Webhook secret key to the end of the string, preceded by a colon.
6. Apply the SHA256 algorithm to the resulting string.
7. Compare the result with the <span class="u-richtext-element">sign</span> parameter received in the request.

Platforms like Zapier support this type of verification using built-in tools, such as a custom script in Code by Zapier.

Example JavaScript for Zapier

const webhookKey = "YOUR WEBHOOK SECRET KEY";

// Parse the input params from JSON string to an object
const params = JSON.parse(inputData.params || '{}');

// Store the original signature from the request
const requestSignature = params.sign || null;

// Remove the 'sign' parameter before calculating the signature
delete params.sign;

function getApiSignature(params, webhookKey) {
    // Filter out empty values and sort keys alphabetically
    const sortedKeys = Object.keys(params)
        .filter((key) => {
            const value = params[key];
            return value !== null && value !== undefined && String(value).trim() !== '';
        })
        .sort();

    // Collect the values in sorted key order, process nested arrays (like "items")
    const chunks = [];
    sortedKeys.forEach(key => {
        const value = params[key];
        if (Array.isArray(value)) {
            value.forEach(item => {
                if (typeof item === 'object' && item !== null) {
                    Object.keys(item).sort().forEach(subKey => {
                        const val = item[subKey];
                        if (val !== null && val !== undefined && String(val).trim() !== '') {
                            chunks.push(String(val).trim());
                        }
                    });
                }
            });
        } else {
            chunks.push(String(value).trim());
        }
    });

    // Build the string to hash
    const baseString = chunks.join(':') + ':' + webhookKey;

    // Generate SHA256 hash
    const crypto = require('crypto');
    const hash = crypto.createHash('sha256').update(baseString).digest('hex');

    return { baseString, verifiedSignature: hash };
}

// Generate the signature
const result = getApiSignature(params, webhookKey);

// Return the original and calculated values
output = {
    requestSignature: requestSignature,
    baseString: result.baseString,
    verifiedSignature: result.verifiedSignature
};

‍

Demo of webhook verification on Zapier

‍

IP address verification‍

A simpler but less secure method is to check that the request comes from Allpay’s server IP address. You can request the current IP address by contacting our support team.

Webhook delivery and retries

Your server must return an <span class="u-richtext-element">200 OK</span> response to confirm successful receipt of a webhook. If any other status is returned, or the request fails due to a timeout or network error, Allpay will automatically retry delivery.

Allpay performs up to 10 delivery attempts in total. The first retry is made 1 minute after the initial failure. Subsequent retries are sent with progressively increasing intervals, with the final attempt occurring within 24 hours of the original request.

If all delivery attempts fail, the webhook will be marked as failed and no further retries will be made.

Hosted Fields allow you to embed card input fields on your website or app, fully adapting them to the system's design. They create a seamless interface experience and eliminate the need to redirect the customer to an external payment page. This improves usability and conversion rates.

The input fields for the card number, expiration date, and CVC are represented as an iFrame. We provide the ability to fully customize their CSS and embed them on your site as a single frame.

Tutorial

Setup

<span class="u-richtext-counter">1</span> In the <span class="u-richtext-element">Settings</span> → <span class="u-richtext-element">Integrations</span> → <span class="u-richtext-element">My sites</span> enable Hosted Fields for the required integration.

<span class="u-richtext-counter">2</span> Click the <span class="u-richtext-element">Hosted Fields settings</span> button and specify the domain where the payment will be processed. Domains and subdomains must be entered one per line in plain format, without <span class="u-richtext-element">https://</span>, paths, or any additional parts — for example, <span class="u-richtext-element">mysite.com</span>. If needed, adjust the CSS styles for the input fields.

<span class="u-richtext-counter">3</span> On your website’s payment page, place an iFrame, assign any custom value to its <span class="u-richtext-element">id</span> parameter, and in the <span class="u-richtext-element">src</span> parameter specify the payment URL (payment_url) returned by Allpay in response to a payment creation request (see Payment request section in the API Reference). Payment URLs can also be generated using the Allpay API Tester.‍

<span class="u-richtext-counter">4</span> Add the following script to the payment page:

<script src="https://allpay.to/js/allpay-hf.js"></script>
    <script>
    let Allpay = new AllpayPayment(
        {
            iframeId: 'iframe_id',
            onSuccess: function() { alert('Payment success'); },
            onError: function(error_n, error_msg) { alert('Payment error: ' + error_n + ' (' + error_msg + ')'); }
        }
    );
    </script>

‍

In the script, replace the following parameters with your own:

• <span class="u-richtext-element">iframeId</span> — the id value of your iFrame.
• <span class="u-richtext-element">onSuccess</span> — the handler for successful payment completion (what should happen after successful payment).
• <span class="u-richtext-element">onError</span> — the handler for payment errors. For example, you can display the payment error message on the page.

<span class="u-richtext-counter">5</span> To initiate the process, execute the function <span class="u-richtext-element">Allpay.pay()</span>, for example, by assigning it to the "Pay" button:

<button onclick="Allpay.pay();">Pay</button>

Installments

If you enabled the installment option for the customer when creating the payment by passing a value in the <span class="u-richtext-element">inst</span> parameter, a field for selecting the number of payments will automatically appear in the frame.

Quick Pay Buttons

Apple Pay and Bit buttons will not be displayed in preview mode or within the iFrame if they are not activated in the <span class="u-richtext-element">Settings</span> → <span class="u-richtext-element">Modules</span>.

Additionally, these buttons are not displayed in test mode. As well as in live mode for installment or subscription payments.

Apple Pay button

At the moment, the Apple Pay button does not work inside Hosted Fields. We are working on a solution.

To ensure Apple Pay button works correctly, set the attribute <span class="u-richtext-element">allow="payment *"</span> in the <span class="u-richtext-element">iframe</span> tag. Example:

<iframe id="myPaymentIframe" allow="payment *" src="..." >

Israeli citizens are required to enter their Teudat Zehut (Social ID) number, which is included in the payment receipt.

Since payments may come not only from Israel but also from other countries, as well as from tourists or Israeli residents who do not have a Teudat Zehut, the payment page includes a checkbox “I am not an Israeli citizen” that hides the Teudat Zehut input field.

If the customer opens the payment page from outside Israel, this checkbox is selected by default.

Managing the field for payments via payment links

The Teudat Zehut input field, including the “I am not an Israeli citizen” checkbox, can be completely hidden from the payment page. This is useful for those who accept payments mainly from abroad.

In the payment link settings, you can enable the <span class="u-richtext-element">Hide Teudat Zehut field</span> option and choose one of two settings:

• For customers outside Israel
• For all customers

Geolocation is determined based on the IP address.

Consult your accountant before enabling this setting.

Managing the field for API payments

‍To pass the Teudat Zehut number or hide this field from the payment page, use the <span class="u-richtext-element">client_tehudat</span> parameter as described in the API documentation.‍

In Allpay, there are two types of expenses:

1. commission on payments
2. subscription fee

Commission

The commission is deducted from each withdrawal. On the 11th of each month, a link to the commission receipt for all payments from the previous month appears in the <span class="u-richtext-element">Withdrawals</span> tab.

Subscription fee

The subscription fee is charged once a month from the linked card. After each charge, a receipt is available in <span class="u-richtext-element">Settings</span> ➙ <span class="u-richtext-element">Plan</span> ➙ <span class="u-richtext-element">Billing</span>.

‍

In addition to shekels, Allpay supports payments in US dollars (USD) and euros (EUR).

Available payment currencies are shown in the <span class="u-richtext-element">Settings</span> ➙ <span class="u-richtext-element">Permissions</span> section.

By default, only payments in shekels are enabled after registration. To accept payments in USD or EUR, a separate permission must be requested.

Before requesting permission to accept payments in foreign currencies

In many cases, accepting payments in shekels is sufficient for a business. However, if your customers are located in Europe, the US, or other countries, it may be more convenient for them to view prices in USD or EUR.

For this purpose, we offer a special feature — currency display conversion. This means the customer will see the payment amount in, for example, euros, but the actual charge will be made in shekels based on their bank’s exchange rate.

No permission is required to use this feature — it is already available.
‍

More details: How to display the payment amount in USD or EUR.

We recommend using this solution in most cases.

Requesting permission to accept payments in foreign currencies

Go to <span class="u-richtext-element">Settings</span> ➙ <span class="u-richtext-element">Modules</span> and activate the “USD & EUR” module.

To activate it, you’ll need to upload a bank letter with the details of your foreign currency account. The letter must:

• Be in English
• Include the account number in IBAN format
• Include your name (or company name) and Teudat Zehut number (or company number)

Examples of bank letters:‍ Discount, Leumi, Hapoalim.

The confirmation letter can be downloaded from your bank's online account or obtained by visiting the bank in person. Letters that do not meet the above requirements will not be accepted.

The letter will be forwarded to the relevant credit company (Isracard or CAL — depending on how your business is connected to the Allpay system) with a request to approve foreign currency operations for your account.

The average approval time is 2–4 business days.

Allpay cannot guarantee approval for foreign currency transactions; however, we do everything possible to ensure that all our customers receive the necessary authorization.

When a business website has an English version and clearly displays products or services with prices in USD or EUR, it increases the likelihood of approval.

Once the approval is granted, the module status will change to “Active” and you will receive a notification. Please make sure notifications are enabled under <span class="u-richtext-element">Settings</span> ➙ <span class="u-richtext-element">Notifications</span>.

How to accept payments in foreign currency

When creating a payment link, you will see an option to switch the payment currency.

When creating payments via API, you can pass the values "USD" or "EUR" in the <span class="u-richtext-element">currency</span> parameter.

Commission and withdrawals

We do not charge any additional commission for foreign currency payments — standard rates apply.

However, your bank may charge a fee for receiving currency withdrawals. These withdrawals are made via the SWIFT system and go through a chain of three banks: our bank, your bank’s foreign branch, and your bank in Israel. The total fee per withdrawal can reach up to $40. We cannot influence this fee, but you can ask your bank for better terms.

For this reason, withdrawals are made starting from 100 USD/EUR. Any amount below 100 USD/EUR will be carried over to the next withdrawal.

Receipts

According to the law, official receipts (kabalot and heshbonit mas) must be issued in shekels.

Therefore, for foreign currency payments, the service price in the receipt appears in the payment currency, while the VAT amount and total are shown in shekels based on the current exchange rate. We use exchange rates from Google Finance.

If your customer needs a receipt showing the total amount in the original payment currency (not in shekels), a copy can be downloaded from the EasyCount or Morning dashboard.

The payment page supports languages: Arabic, English, French, German, Hebrew, Italian, Russian and Spanish.

The language is detected automatically based on the customer’s browser language, so each customer sees the payment page in their own language. If the browser language is not supported or cannot be detected, English will be set by default.

To manually control the language of the payment page, in the <span class="u-richtext-element">More</span> section of the payment link settings, change the <span class="u-richtext-element">Auto-detect (browser language)</span> option to the language you need.

The customer will then see the payment page in that language, regardless of their browser settings. The language switcher will still remain available on the checkout page.

Translation of additional fields

If you add custom fields to the payment page, their labels can be translated into all four languages. This makes the payment page convenient for a multilingual audience. For more details, see the article about additional fields.

Language control via API

For payments initiated from your website (i.e., not through payment links created in Allpay), the payment page language can be controlled via the API according to the documentation.

By default, automatic detection based on the browser settings applies.

To have the Bit payment button appear on your payment pages, activate the Bit module in the <span class="u-richtext-element">Settings</span> ➙ <span class="u-richtext-element">Modules</span> ➙ <span class="u-richtext-element">Bit</span> section.

Payment via Bit is only possible from a mobile device on which the Bit app is installed. When paying from a computer, the system will display a QR code for scanning and switching to payment from a mobile device.

Payments received through Bit are credited to the business's bank account along with the payout in the same way as other payments.

Bit button for foreign customers

Since Bit is an Israeli system, we make it possible to hide the Bit button for customers who pay from abroad. The system determines the client's geolocation by its IP.

The corresponding switch can be found in the module settings.

Restrictions

Up to 5000 ILS. Payment via Bit cannot exceed 5,000 shekels. The sum of all payments per month from all customers cannot exceed 20,000 shekels.

ILS. Bit only supports payments in shekels.

No installments. You can only pay with Bit in one payment.

No subscriptions. Bit does not allow you to save your customer card for future charges, so we hide the Bit button for “Subscription” payment links.

No payment from Bit balance. The charge is made from the card linked to Bit. If the card has insufficient funds or the credit limit is exceeded, the payment will fail.

Ten minutes. From the moment you press the Bit button, the customer has 10 minutes to make a payment.

Diners. Diners and Discover brand cards are not supported by Bit.

Name and email

Bit does not give us the payer's name and e-mail address, so we request them ourselves when making a payment.

The e-mail field is optional by default, and if it is not filled in by the customer, a payment confirmation will not be sent. You can make this field required in the Bit module settings.

Integrations

For payment integrations from ours catalogue The Bit button will be shown on the payment page if the module is activated and hidden if not.

API

Software integration developers documentation<span class="u-richtext-element">, can control the display of the Bit button on the payment page by using the show_bit parameter.</span> However, the Bit module must first be activated through your Allpay account.

For test payments, use the real card attached to the Bit app. At the same time, don't forget to activate the test mode for payment integration.

Timer lets you set the exact date and time when a link will automatically turn off and stop accepting payments.

For example, this can be useful when selling event tickets or courses that have a registration deadline.

You can set the timer in the payment link settings <span class="u-richtext-element">More</span> → <span class="u-richtext-element">Timer</span>.

Time is always set according to Israel time

If you enable checkbox <span class="u-richtext-element">Show timer on the payment page</span>, the customer will see how much time is left to complete the payment.

After the link is disabled, it will receive the label <span class="u-richtext-element" style="background-color: rgba(221, 94, 94, 0.4)">Disabled</span>

You can also disable the link when the product is out of stock. See the article about quantity management.