Help Center

Webhook is an automatic event notification sent by the Allpay system to an external URL.

When a payment is successfully completed, Allpay sends a POST request to the specified address. The request contains full payment details, including the buyer's name, the payment description, and the amount.

Developers and integrators use webhooks to:

• automatically trigger actions (e.g. activating an order or sending an email to the customer),
• synchronize data between systems,
• eliminate the need for manual payment status checks.

Even types

Currently, Allpay supports a webhook for one event only — successful payment.

For subscriptions, the webhook is automatically sent to the specified URL each month after a successful recurring charge.

Where to configure a webhook

A webhook is configured separately for each payment link or API integration:

1. Payment link — in the settings of that specific link. In this case, the webhook will be sent for every payment made via that link.
2. API integration — in the settings of a specific integration under the <span class="u-richtext-element">API Integrations</span> section. This allows you to receive webhooks for all payments processed through that integration — for example, from your site on WordPress, or another platform.

Allpay does not have a centralized webhook setting for all payments. This approach gives you flexible control over notifications across different channels.

Webhook request contents

Allpay sends a POST request to the specified URL. The request body is a JSON object containing parameters related to the event.

Example request

POST /tjefkki4vvsvfyhrmudkr571bvjxw5g7 HTTP/2
Host: hook.eu2.make.com
accept: */*
content-type:application/json
content-length: 653

{
    "name": "Test payment",
    "items": "[{\"name\":\"Test payment\",\"price\":10,\"qty\":1}]",
    "amount": "10",
    "status": 1,
    "client_name": "Tanur Mikrogalov",
    "client_email": "test@allpay.co.il",
    "client_tehudat": "",
    "client_phone": "",
    "foreign_card": "0",
    "card_mask": "407517******9285",
    "card_brand": "visa",
    "receipt": "https:\/\/www.allpay.co.il\/receipt.pdf",
    "sign": "2367eefa04752fae489fc233670fce599be9083af8c9a581d4c7684ec33c0114"
}

‍

Each payment for which a webhook was sent is marked with a corresponding label. By clicking on this label, you can view the full contents of the request.

Webhook security

Allpay supports two methods for verifying the authenticity of webhook requests:

Verification using the Webhook secret key

This method relies on an HMAC signature based on the SHA256 algorithm.

Signature generation algorithm:

1. Remove the <span class="u-richtext-element">sign</span> parameter from the request.
2. Exclude all parameters with empty values.
3. Sort the remaining keys in alphabetical order.
4. From the sorted list, take the parameter values and join them into a single string using a colon (:) as a separator.
5. Append your Webhook secret key to the end of the string, preceded by a colon.
6. Apply the SHA256 algorithm to the resulting string.
7. Compare the result with the <span class="u-richtext-element">sign</span> parameter received in the request.

Platforms like Zapier support this type of verification using built-in tools, such as a custom script in Code by Zapier.

Example JavaScript for Zapier

const webhookKey = "YOUR WEBHOOK SECRET KEY";

// Parse the input params from JSON string to an object
const params = JSON.parse(inputData.params || '{}');

// Store the original signature from the request
const requestSignature = params.sign || null;

// Remove the 'sign' parameter before calculating the signature
delete params.sign;

function getApiSignature(params, webhookKey) {
    // Filter out empty values and sort keys alphabetically
    const sortedKeys = Object.keys(params)
        .filter((key) => {
            const value = params[key];
            return value !== null && value !== undefined && String(value).trim() !== '';
        })
        .sort();

    // Collect the values in sorted key order
    const chunks = sortedKeys.map(key => String(params[key]).trim());

    // Build the string to hash
    const baseString = chunks.join(':') + ':' + webhookKey;

    // Generate SHA256 hash
    const crypto = require('crypto');
    const hash = crypto.createHash('sha256').update(baseString).digest('hex');
``
    return { baseString, verifiedSignature: hash };
}

// Generate the signature
const result = getApiSignature(params, webhookKey);

// Return the original and calculated values
output = {
    requestSignature: requestSignature,
    baseString: result.baseString,
    verifiedSignature: result.verifiedSignature
};

‍

Demo of webhook verification on Zapier

‍

IP address verification‍

A simpler but less secure method is to check that the request comes from Allpay’s server IP address. You can request the current IP address by contacting our support team.

Retries and webhook deactivation

Your service must return a 200 HTTP status code to confirm successful receipt of the webhook. If any other status code is returned, the system will attempt to resend the webhook up to three more times. After that, the request will be considered failed and will not be retried.

If Allpay repeatedly encounters delivery errors when attempting to send webhook requests, the corresponding webhook will be automatically deactivated to prevent further attempts.

To accept online payments, you must have a website or a business page on a social network that provides information about your business.

Website Requirements

<span class="u-richtext-counter">1</span> The website content must clearly explain what you sell.

<span class="u-richtext-counter">2</span> Your website must include the following business contact details:

• Phone number (or WhatsApp), 
• Email address 
• Physical address (city, street, and house number)

If your business does not have a physical address, provide the one listed in your business registration certificate (Ishur Osek Patur/Murshe).

<span class="u-richtext-counter">3</span> Include a Privacy Policy and Terms of Service for selling products or providing services in English or Hebrew.

Privacy Policy template: ENG, HEB

Terms template (product sales): ENG, HEB

Terms template (service provision): ENG‍

These templates are examples. Allpay does not provide legal advice!

The website can be in any language and domain zone, but the Privacy Policy and Terms of Service must be in English or Hebrew.

<span class="u-richtext-counter">4</span> If your business requires licensing, display the relevant licenses and certificates on your website.

Social network page requirements

<span class="u-richtext-counter">1</span> The content must clearly indicate that the social network page is used for business purposes and specify the services or products offered.

<span class="u-richtext-counter">2</span> The page must include easily visible contact details:

• Phone number
• Email address
• Physical address (city, street, and house number).

If requirements are not met

Failure to meet these requirements may result in your request to process payments being denied.

Allpay, like any payment service in Israel, depends on an external regulator for issuing permissions. We do our best to help our clients obtain approval, but this is only possible with your cooperation.

In Allpay, there are two types of expenses:

1. commission on payments
2. subscription fee

Commission

The commission is deducted from each withdrawal. On the 11th of each month, a link to the commission receipt for all payments from the previous month appears in the <span class="u-richtext-element">Withdrawals</span> tab.

Subscription fee

The subscription fee is charged once a month from the linked card. After each charge, a receipt is available in <span class="u-richtext-element">Settings</span> ➙ <span class="u-richtext-element">Tariff</span> ➙ <span class="u-richtext-element">Balance</span>.

‍

Payments received during the month are automatically withdrawn on the 6th of the following month. It may take up to three business days for the withdrawal to appear in your bank account.

The minimum withdrawal amount is 100 ILS, USD, or EUR.

How it works

After a payment is made, it is processed by the credit company within 3–5 days and then included in the next withdrawal. You can view the withdrawal date of each payment by clicking the <span class="u-richtext-element">eye icon</span> in its details.

Installment payments are withdrawn once a month as funds are charged from the customer’s card.

Exceptions

Payments made during the last 3 days of the month — especially if they fall on weekends or holidays — may not be processed in time. These payments are considered part of the new month.

For example, a payment made on July 30 will be considered part of August and withdrawn on September 6.

How to track withdrawals

The withdrawal schedule is available in the <span class="u-richtext-element">Withdrawals</span> tab on the main screen.

To receive email or Telegram notifications about withdrawals, enable them in <span class="u-richtext-element">Settings</span> ➙ <span class="u-richtext-element">Notifications</span>.

Your bank account for withdrawals is listed in <span class="u-richtext-element">Settings</span> ➙ <span class="u-richtext-element">Withdrawals</span>.

Commission

The credit company charges a fee of 17.58 ILS (including VAT) for each withdrawal under 5,000 ILS. To support small businesses, we’ve created a flexible withdrawal system that allows you to receive funds once 5,000 ILS is reached — helping reduce commissions.

Withdrawal settings

You can configure your withdrawal mode in <span class="u-richtext-element">Settings</span> ➙ <span class="u-richtext-element">Withdrawals</span>:

1. <strong>Automatic withdrawals on the 6th and 12th.</strong> Funds available on those days will be withdrawn. For example, if only the 6th is selected, funds available on the 12th will be rolled over to the next 6th.
2. <strong>Automatic when N amount is reached.</strong> Funds available on the 6th and 12th will accumulate and be withdrawn once the amount reaches your specified threshold.
3. <strong>Manual withdrawals.</strong> Automatic withdrawals will be disabled. Funds will accumulate on the 6th and 12th and wait until you click the withdrawal request button in the <span class="u-richtext-element">Withdrawals</span> tab.

Refunds

If you issued refunds to customers during the month, those amounts will be deducted from the next withdrawal.

Breakdown and documents

On the 11th of each month, an entry appears in the <span class="u-richtext-element">Withdrawals</span> tab with two documents:

1. <strong>Monthly payment breakdown.</strong> Includes commission details for all payments from the 1st to the 31st of the previous month.
2. <strong>Commission receipt.</strong> Suitable for accounting as proof of expense.

Read also: Where to download the payment system commission receipt

A J5 transaction is a two-step payment process that begins with a pre-authorization. In the first step, the specified amount is reserved (held) on the buyer’s card for up to 168 hours (7 days) without actually charging the card.

To charge the reserved funds, the seller must initiate a charge request within that time frame and within the reserved amount. If the charge is for a smaller amount, the remaining balance is automatically released.

The term “J5” is used in Israeli payment systems as an internal code to refer to this type of transaction.

Use Cases

Delivery orders – The amount is reserved when the order is placed and charged after delivery is confirmed.

Variable price orders – For example, when buying products sold by weight (meat, fruits, vegetables), the final price is determined after weighing.

‍Pay as you go – The customer uses a service within a limit, and the final amount is calculated at the end.

Car rentals & hotels – The amount is reserved to cover possible damages or extra expenses.

Custom-made products – When ordering custom furniture or jewelry, the amount is reserved at checkout and charged when the product is ready.

Limitations

The charged amount cannot exceed the reserved amount.

Charging is allowed only once. Any attempt to charge again or after 168 hours will result in an error.

Supported Payment Methods

Both Israeli and international credit and debit cards are supported.

Express payment methods (Apple Pay, Google Pay, Bit) are not supported for J5. These buttons will be hidden on the authorization page.

How to Use

J5 functionality is available to developers via the Allpay API: view API documentation.

Demo

При создании платежной ссылки можно открыть возможность оплаты в рассрочку, указав максимальное число платежей, которое клиент сможет выбрать.

Если клиент выберет 2 и более платежа, то оплата будет списываться с его карты и поступать вам частями ежемесячно до достижения полной суммы.

Рассрочка работает только по кредитным картам, выпущенным в Израиле!

1. Создайте ссылку на оплату

При создании ссылки откройте раздел Дополнительно, для типа платежа выберите Рассрочка и укажите максимальное число платежей, которое сможет выбрать клиент.

2. Отправьте ссылку клиенту

На странице оплаты клиент увидит опцию выбора числа платежей. Если он оставит 1 платеж, то полная сумма будет списана сразу.

Пример

Для услуги стоимостью 6000₪ вы открыли возможность рассрочки до 5 платежей. При оплате клиент выбрал рассрочку в 3 платежа. В момент оплаты с него будет списана сумма 2000₪, через месяц еще 2000₪ и на третий месяц последние 2000₪.

Квитанция для оплаты в рассрочку создается на полную сумму сразу. При этом в квитанции указывается график платежей.

Если оплата в рассрочку не прошла

Наиболее вероятные причины:

1) карта клиента не является кредитной, а дебетовой;

2) карта выпущена не израильским банком;

3) кредитный лимит карты (мисгерет) меньше общей суммы платежа.

Почему невозможна рассрочка по иностранным картам

Оплата в рассрочку работает только по кредитным картам в рамках их кредитного лимита. Так как система не может распоряжаться кредитным лимитом клиентов зарубежных банков, разбивка на платежи по таким картам работать не будет.

Это ограничение финансовой системы. Рассрочка по сути — это кредит. Если у клиента нет денег на счёте, то вы (как бизнес, которому он сделал оплату в рассрочку) всё равно получаете очередной платёж за счёт кредита, который банк даёт клиенту. Управление кредитным лимитом для граждан и взыскание с них долга в случае непогашения кредита можно гарантировать только внутри страны.

Если клиент отменил карту

Вы продолжите получать платежи по рассрочке даже если клиент закрыл или отменил кредитную карту, с которой делался платеж.

В свойствах отклоненных платежей можно увидеть название ошибки и понять причину.

Коды ошибок

20004 Refusal by credit company. Please try a different card

Платёж не был одобрен банком, выпустившим карту. Для израильских карт это чаще всего связано с превышением кредитного лимита (мисгерет) или недостатком средств на счёте при оплате дебетовой картой. Для иностранных карт банк мог отклонить платёж, сочтя его подозрительным. В обоих случаях держателю карты следует обратиться в свой банк, чтобы уточнить причину отказа.

20010 Payment is not approved for debit cards

Попытка осуществить платеж в рассрочку по дебетовой карте. Такие платежи возможны только по кредитным картам и только выпущенным в Израиле. Больше информации.

After payment, customer receives an email notification about the payment. Make sure this feature is enabled in <span class="u-richtext-element">Settings</span> -> <span class="u-richtext-element">Notifications</span>

An email notification by itself is not a receipt.

If you enable integration with the EasyCount electronic receipt system, the receipt will be created automatically, and a button for downloading it will be added to the notification.

Example of email notification