AI resources

Webhooks

Webhooks (also known as web callbacks) are a simple method that allows an application or system to provide real-time information whenever an event occurs. It's a passive way of receiving data between two systems via an HTTP POST request.

Webhooks notifications can be configured for each application created in Your integrations. You can also configure a test URL that, along with your test credentials, allows you to test the correct operation of your notifications before going live.

Once configured, the Webhook will be sent whenever one or more registered events occur, eliminating the need for constant checks and thus preventing system overload and data loss in critical situations.

To configure your Webhooks notifications, choose one of the options below:

Configuration type	Description
Configuration through Your integrations	Allows configuring notifications for each one of your applications, identifying different accounts if necessary, and validating the notification origin using the secret signature .
Configuration during payment creation	Allows specific configuration of notifications for each payment, preference or order This configuration is not allowed for Mercado Pago Point.

Important

The URLs configured during payment creation will take precedence over those configured through Your integrations.

Once notifications are configured, refer to the necessary actions after receiving a notification to validate that the notifications were properly received.

Configuration through Your integrations

Set up notifications for each application directly in Your integrations efficiently and securely. In this documentation, we will explain how:

Specify URLs and configure events
Validate the notification source
Simulate receiving the notification

Important

This configuration method is not available for Subscriptions integrations. To set up notifications for either of these integrations, use the Configuration during payment creation method.

1. Specify URLs and configure events

To configure Webhooks notifications via Your integrations, it is necessary to specify the URLs where they will be received and the events for which you wish to receive notifications.

To do this, follow these steps:

Access Your integrations and select the application for which you want to enable notifications. If you haven't created an application yet, access the Developer Dashboard documentation and follow the instructions to do so.
In the left menu, click on Webhooks > Configure notifications and configure the URLs that will be used to receive notifications. We recommend using different URLs for testing mode and production mode:
- Test mode URL: provide a URL that allows testing the correct operation of notifications for this application during the testing or development phase. Testing these notifications should be done exclusively with the test credentials of productive users.
- Production mode URL: provide a URL to receive notifications with your productive integration. These notifications should be configured with productive credentials.

webhooks

Note

If you need to identify multiple accounts, you can add the parameter ?cliente=(sellersname) to the endpoint URL to identify the sellers.

Select the events from which you want to receive notifications in JSON format via an HTTP POST to the URL specified earlier. An event can be any type of update on the reported object, including status changes or attributes. Refer to the table below to see the events that can be configured, considering the integrated Mercado Pago solution and its business specifics.

Events	Name in Your Integrations	Topic	Associated products
Creation and update of payments	Order (Mercado Pago)	`orders`	Checkout API Mercado Pago Point
Creation and update of payments	Payments	`payment`	Checkout API (legacy) Checkout Pro Checkout Bricks Subscriptions Wallet Connect
Recurring payment of a subscription (creation - update)	Plans and Subscriptions	`subscription_authorized_payment`	Subscriptions
Subscription linking (creation - update)	Plans and Subscriptions	`subscription_preapproval`	Subscriptions
Subscription plan linking (creation - update)	Plans and Subscriptions	`subscription_preapproval_plan`	Subscriptions
Linking and unlinking of accounts connected via OAuth	Application linking	`mp-connect`	All products that have implemented OAuth
Wallet Connect transactions	Wallet Connect	`wallet_connect`	Wallet Connect
Fraud alerts after order processing	Fraud alerts	`stop_delivery_op_wh`	Checkout API Checkout Pro
Creation of refunds and claims	Claims	`topic_claims_integration_wh`	Checkout API Checkout Pro Checkout Bricks Subscriptions Mercado Pago Point Wallet Connect
Retrieval of card information and update within Mercado Pago	Card Updater	`topic_card_id_wh`	Checkout Pro Checkout API Checkout Bricks
Creation, closure, or expiration of commercial orders	Commercial orders	`topic_merchant_order_wh`	Checkout Pro
Opening of chargebacks, status changes, and modifications related to the release of funds	Chargebacks	`topic_chargebacks_wh`	Checkout Pro Checkout API Checkout Bricks
Completion and cancellation of payment attempt, or error processing payment attempt from Mercado Pago Point devices.	Point Integrations	`point_integration_wh`	Mercado Pago Point (legacy)

Important

If you have any questions about the topics to de activated or the events that will be notified, check the Additional information about Notifications documentation.

Finally, click on Save. This will generate a unique secret signature for your application, allowing you to validate the authenticity of received notifications, ensuring they were sent by Mercado Pago. Note that the generated signature does not have an expiration date, and its periodic renewal is not mandatory but highly recommended. Simply click the Reset button next to the signature to renew it.

2. Validate notification origin

Notifications sent by Mercado Pago will be similar to the following example for a payment topic alert:

json
{
 "id": 12345,
 "live_mode": true,
 "type": "payment",
 "date_created": "2015-03-25T10:04:58.396-04:00",
 "user_id": 44444,
 "api_version": "v1",
 "action": "payment.created",
 "data": {
     "id": "999999999"
 }
}

Mercado Pago will always include the secret signature in the Webhooks notifications received at the registered URL, which will allow you to validate their authenticity to provide greater security and prevent potential fraud.

This signature will be sent in the x-signature header, as shown in the example below.

x-signature
`ts=1704908010,v1=618c85345248dd820d5fd456117c2ab2ef8eda45a0282ff693eac24131a5e839`

To confirm the validation, it is necessary to extract the key from the header and compare it with the key provided for your application in Your integrations.

Follow one of the approaches below to validate the authenticity of the notification.

The official SDK implements HMAC-based Webhook Signature Verification to authenticate the origin of each received notification.

To get your secret key (secret), select the application in Your integrations, click Webhooks > Configure notification, and reveal the generated key.

<?php
use MercadoPago\Webhook\WebhookSignatureValidator;
use MercadoPago\Exceptions\InvalidWebhookSignatureException;

try {
    WebhookSignatureValidator::validate(
        $_SERVER['HTTP_X_SIGNATURE'],
        $_SERVER['HTTP_X_REQUEST_ID'],
        $_GET['data_id'],
        $secret
    );
    http_response_code(200);
} catch (InvalidWebhookSignatureException $e) {
    http_response_code(401);
}

import { WebhookSignatureValidator, InvalidWebhookSignatureError } from 'mercadopago';

try {
    WebhookSignatureValidator.validate({
        xSignature: req.headers['x-signature'],
        xRequestId: req.headers['x-request-id'],
        dataId:     req.query['data.id'],
        secret,
    });
    res.sendStatus(200);
} catch (err) {
    if (err instanceof InvalidWebhookSignatureError) res.status(401).end();
    else throw err;
}

from mercadopago.webhook import WebhookSignatureValidator, InvalidWebhookSignatureError

try:
    WebhookSignatureValidator.validate(
        request.headers.get("x-signature"),
        request.headers.get("x-request-id"),
        request.args.get("data.id"),
        secret,
    )
    return "", 200
except InvalidWebhookSignatureError:
    return "", 401

import "github.com/mercadopago/sdk-go/pkg/webhook"

err := webhook.ValidateSignature(
    r.Header.Get("x-signature"),
    r.Header.Get("x-request-id"),
    r.URL.Query().Get("data.id"),
    secret,
)
if err != nil {
    w.WriteHeader(http.StatusUnauthorized)
    return
}
w.WriteHeader(http.StatusOK)

using MercadoPago.Error;
using MercadoPago.Webhook;

try {
    WebhookSignatureValidator.Validate(
        xSignature: Request.Headers["x-signature"],
        xRequestId: Request.Headers["x-request-id"],
        dataId:     Request.Query["data.id"],
        secret:     secret);
    return Ok();
} catch (InvalidWebhookSignatureException) {
    return Unauthorized();
}

import com.mercadopago.webhook.WebhookSignatureValidator;
import com.mercadopago.exceptions.MPInvalidWebhookSignatureException;

try {
    WebhookSignatureValidator.validate(
        request.getHeader("x-signature"),
        request.getHeader("x-request-id"),
        request.getParameter("data.id"),
        secret);
    response.setStatus(200);
} catch (MPInvalidWebhookSignatureException e) {
    response.setStatus(401);
}

require 'mercadopago/webhook/validator'

begin
    Mercadopago::Webhook::Validator.validate(
        request.headers['x-signature'],
        request.headers['x-request-id'],
        request.params['data.id'],
        secret
    )
    head :ok
rescue Mercadopago::Webhook::InvalidWebhookSignatureError
    head :unauthorized
end

Notificaciones

Notificaciones son mensajes enviados por el servidor de Mercado Pago desde eventos que se realizan en su aplicación.

IPN

Conoce las notificaciones de IPN y aprende a configurarlo.