Repository inventory

paid-tw/skills

Skills indexed from this repository, with install-style signals scoped to the repo.
7 skills1.4K GitHub stars0 weekly installsPHPGitHubOwner profile

Overview

This skill implements PAYUNi webhook handling for payment notification endpoints. It provides signature (CheckCode) verification, replay-attack prevention, and order status update patterns you can drop into a PHP-based backend. The goal is a secure, testable webhook receiver that fits common frameworks and databases.

How this skill works

The skill shows how to parse incoming webhook payloads, compute and verify the CheckCode using HashKey/HashIV and SHA256, and compare signatures using a constant-time method to prevent timing attacks. It includes guidance for deduplicating webhooks by logging TradeNo or payload checksum, updating order records when Status is SUCCESS or FAIL, and exposing a health-check endpoint. It also outlines SQL schema and sample functions to check and mark processed webhooks.

When to use it

  • You need a secure PAYUNi NotifyURL endpoint for production or testing.
  • Integrating PAYUNi into an existing PHP app, API framework, or serverless function.
  • You must validate payment notifications and prevent duplicate processing.
  • Setting up local testing with ngrok or staging webhook flows.
  • When you require clear logging and audit trails for payment callbacks.

Best practices

  • Always validate CheckCode calculated from sorted params with HashKey/HashIV and SHA256.
  • Use constant-time string comparison (timingSafeEqual equivalent) to avoid timing attacks.
  • Record processed TradeNo or checksum in a persistent table to stop replay attacks.
  • Serve webhook endpoints over HTTPS and restrict access where possible.
  • Log raw webhook payloads and processing results for auditing and troubleshooting.

Example use cases

  • A PHP e-commerce app that updates order status to 'paid' after PAYUNi notifies success.
  • A microservice that receives PAYUNi webhooks, validates signatures, and dispatches events to an order-processing queue.
  • A staging environment using ngrok to expose a local webhook endpoint for end-to-end testing.
  • A merchant dashboard that reconciles incoming TradeNo values against stored orders and flags mismatches.
  • A payments team implementing idempotent webhook handling by storing webhook_requests and skipping duplicates.

FAQ

Persist the provider trade identifier (TradeNo) or a payload checksum with a unique constraint, and skip processing when a record exists.

How is CheckCode calculated?

Sort all params except CheckCode alphabetically, join as key=value&..., prefix HashKey=...& and suffix &HashIV=..., SHA256 hash, then convert to uppercase.

Which response should the webhook return?

Return a 200-level JSON acknowledgement after successful processing; return 401 for invalid signature and 500 for errors.

7 skills

More from this maintainer
Other repositories and skills published under the same GitHub owner.
Skills library
Jump back to the full directory or explore grouped topics.
Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational