Webhook Implementation Request for Atlos.io

dulcesporting · January 11, 2026, 10:11pm

Request to Atlos dev team:

Can you add webhook support? When a payment status changes, send a POST request to a URL we specify in settings.

Send this data:

{
  "Id": "aXfV6BC6DOgfilqF",
  "AssetCode": "usdc",
  "BlockchainCode": "eth",
  "Amount": "1000200",
  "Fee": "10002",
  "RecipientAddress": "0x386a528091a3E9c490656E708075D1c30384E3dc",
  "Status": 100,
  "Txid": "0x5698aa17ebd7b0074cbdccb70408abb7f83c5dc9da11c2deb7cc118a3353faff",
  "timestamp": "2026-01-11T10:30:00Z"
}

Security: Include X-Webhook-Signature and X-Webhook-Timestamp headers. We’ll verify using this function:

function verifyAtlosWebhook(
  payload: string,
  timestamp: string,
  signature_hash: string,
  secret: string,
  tolerance: number = 300
): boolean {
  const now = Math.floor(Date.now() / 1000);
  const ts = parseInt(timestamp);
  
  if (Math.abs(now - ts) > tolerance) return false;

  const message = `${timestamp}.${payload}`;
  
  const hash = require('crypto')
    .createHmac('sha256', secret)
    .update(message)
    .digest('hex');

  return hash === signature_hash;
}

This prevents replay attacks and ensures webhooks are authentic.

JohnDoe · January 17, 2026, 1:31pm

It’s your responsibility to avoid replay attacks.
Starting with the fact that no one should even know your webhook endpoint.

dulcesporting · January 18, 2026, 12:48am

This answer had nothing to do with what i have requested for,
what do you mean by “it is your responsibility”

JohnDoe · January 18, 2026, 1:05am

From my understanding, you have a webhook that Atlos calls when a payment has been done.
You don’t want users to be able to perform a replay attack.

The only way users can do a replay attack, is if they find out about your webhook. And it’s your responsibility to make sure no one finds out about that webhook. Also your responsibility to use the data sent to that webhook to see if the ID belongs to a transaction marked as paid at Atlos

dulcesporting · January 18, 2026, 12:56pm

No, i am asking atlos to implement the webhook.

JohnDoe · January 18, 2026, 1:15pm

They do have webhook implementation tho…

dulcesporting · January 18, 2026, 1:18pm

where is the documentation, can you send me the link please

JohnDoe · January 18, 2026, 1:30pm

They gave it a bit of a confusing name. “Postback” instead of webhook

dulcesporting · January 18, 2026, 1:51pm

Oh thank you, yea the naming is a bit confusing