Webhooks
Receive real-time notifications when payment events occur.
Overview
Webhooks notify your application when:
- A payment is completed
- A payment expires or its status changes
Instead of polling the API, webhooks push events to your server instantly. (Refund status changes are not webhooked — poll the Refunds API.)
How It Works
1. Customer pays Lightning invoice
2. Your payment provider (Strike or OpenNode) confirms payment
3. The provider sends a webhook to Lightning Enable
(POST /api/webhooks/strike or POST /api/webhooks/opennode)
4. Lightning Enable forwards a signed webhook to your callback URL
5. Your server processes the event
Webhook Payload
Lightning Enable forwards one flat JSON object per payment event to your callback URL. There is no envelope and no event field — route on the status field.
The payload shape depends on which payment provider your merchant account uses.
OpenNode merchants:
{
"invoiceId": "1042",
"orderId": "ORDER-12345",
"status": "paid",
"amount": 49.99,
"currency": "USD",
"openNodeChargeId": "abc123-def456-...",
"paidAt": "2026-07-03T12:05:00Z",
"metadata": "{\"customerId\":\"cust_42\"}"
}
Strike merchants:
{
"invoiceId": "1042",
"orderId": "ORDER-12345",
"status": "paid",
"amount": 49.99,
"currency": "USD",
"providerChargeId": "8f6c3f5e-1c2d-...",
"provider": "strike",
"paidAt": "2026-07-03T12:05:00Z",
"metadata": null
}
| Field | Description |
|---|---|
invoiceId | Lightning Enable invoice ID (numeric string) — the same invoiceId returned by POST /api/payments |
orderId | Your order ID from payment creation |
status | Payment status string. Treat paid as the fulfillment trigger. Other values include processing, expired, and (OpenNode) underpaid / refunded |
amount / currency | The invoice amount and currency you created it with |
openNodeChargeId / providerChargeId | The provider's charge ID (provider: "strike" is included on the Strike path) |
paidAt | When Lightning Enable processed the provider event (UTC) |
metadata | The metadata JSON string you supplied at creation, or null |
Refunds do not currently generate merchant webhooks. Track refund progress by polling GET /api/refunds/{refundId} or forcing a provider sync with POST /api/refunds/{refundId}/sync — see Refunds.
Configuring Webhooks
Set your webhook URL + secret from the Lightning Enable dashboard. Navigate to Dashboard → Settings → Webhooks and provide:
- Webhook URL (must be HTTPS in production)
- Signing secret (used for HMAC verification)
Webhook URL Requirements
- Must be HTTPS in production
- Must return a 2xx status within 10 seconds (the delivery request times out after 10s)
- Must be publicly accessible
Verifying Webhooks
Every webhook request from Lightning Enable includes an X-LightningEnable-Signature header. You must verify this signature to confirm that the webhook is authentic and has not been tampered with.
Signature Format
The signature header uses a timestamped HMAC scheme:
POST /webhooks/lightning HTTP/1.1
Content-Type: application/json
X-LightningEnable-Signature: t=1704067200,v1=5257a869e7ecebeda32affa62cdca3fa51cad7e77a0e56ff536d0ce8e108d8f9
The header contains two comma-separated components:
| Component | Description |
|---|---|
t | Unix timestamp (seconds) when the signature was generated |
v1 | HMAC-SHA256 hex digest of the signed payload |
Verification Steps
To verify a webhook signature:
- Extract the timestamp (
t) and signature (v1) from theX-LightningEnable-Signatureheader - Construct the signed payload by concatenating the timestamp, a period (
.), and the raw request body:{timestamp}.{payload} - Compute the HMAC-SHA256 of the signed payload using your webhook secret as the key
- Compare the computed signature with the
v1value using a constant-time comparison function to prevent timing attacks - Check freshness -- reject signatures where the timestamp is more than 5 minutes old to prevent replay attacks
Replay Protection
Lightning Enable enforces a 5-minute tolerance on webhook signatures. You should implement the same check on your end:
- Reject webhooks where
current_time - t > 300 seconds(5 minutes) - Optionally reject webhooks where
tis more than 30 seconds in the future (clock skew protection)
This prevents attackers from intercepting a valid webhook and replaying it later.
Node.js / JavaScript Verification
const crypto = require('crypto');
const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;
const TOLERANCE_SECONDS = 300; // 5 minutes
/**
* Parse the X-LightningEnable-Signature header into its components.
*/
function parseSignatureHeader(header) {
const parts = header.split(',');
let timestamp = null;
let signature = null;
for (const part of parts) {
const trimmed = part.trim();
if (trimmed.startsWith('t=')) {
timestamp = parseInt(trimmed.slice(2), 10);
} else if (trimmed.startsWith('v1=')) {
signature = trimmed.slice(3);
}
}
return { timestamp, signature };
}
/**
* Verify a webhook signature with replay protection.
* Returns true if the signature is valid and the timestamp is fresh.
*/
function verifyWebhookSignature(payload, signatureHeader, secret) {
const { timestamp, signature } = parseSignatureHeader(signatureHeader);
if (!timestamp || !signature) {
return false;
}
// Check timestamp freshness (replay protection)
const now = Math.floor(Date.now() / 1000);
if (Math.abs(now - timestamp) > TOLERANCE_SECONDS) {
return false;
}
// Compute expected signature over "{timestamp}.{payload}"
const signedPayload = `${timestamp}.${payload}`;
const expected = crypto
.createHmac('sha256', secret)
.update(signedPayload)
.digest('hex');
// Constant-time comparison
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
// Express.js example -- use express.raw() to get the raw body
app.post('/webhooks/lightning', express.raw({ type: 'application/json' }), (req, res) => {
const signatureHeader = req.headers['x-lightningenable-signature'];
const payload = req.body.toString('utf8');
if (!signatureHeader || !verifyWebhookSignature(payload, signatureHeader, WEBHOOK_SECRET)) {
return res.status(401).send('Invalid signature');
}
const event = JSON.parse(payload);
handleWebhookEvent(event);
res.status(200).send('OK');
});
You must verify the signature against the raw request body string, not a re-serialized JSON object. Re-serialization may change whitespace or key ordering, causing signature mismatches.
C# Verification
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
[ApiController]
[Route("webhooks")]
public class WebhookController : ControllerBase
{
private readonly string _webhookSecret;
private const int ToleranceSeconds = 300; // 5 minutes
public WebhookController(IConfiguration config)
{
_webhookSecret = config["WebhookSecret"]!;
}
[HttpPost("lightning")]
public async Task<IActionResult> HandleWebhook()
{
// Read the raw body
using var reader = new StreamReader(Request.Body);
var payload = await reader.ReadToEndAsync();
var signatureHeader = Request.Headers["X-LightningEnable-Signature"].FirstOrDefault();
if (string.IsNullOrEmpty(signatureHeader) || !VerifySignature(payload, signatureHeader))
{
return Unauthorized("Invalid signature");
}
var webhookEvent = JsonSerializer.Deserialize<WebhookEvent>(payload);
await ProcessEventAsync(webhookEvent);
return Ok();
}
private bool VerifySignature(string payload, string signatureHeader)
{
// Parse "t={timestamp},v1={signature}"
if (!TryParseSignatureHeader(signatureHeader, out var timestamp, out var providedSignature))
{
return false;
}
// Replay protection: reject if older than 5 minutes
var signatureTime = DateTimeOffset.FromUnixTimeSeconds(timestamp);
var age = DateTimeOffset.UtcNow - signatureTime;
if (age.TotalSeconds > ToleranceSeconds || age.TotalSeconds < -30)
{
return false;
}
// Compute HMAC-SHA256 over "{timestamp}.{payload}"
var signedPayload = $"{timestamp}.{payload}";
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_webhookSecret));
var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(signedPayload));
var expectedSignature = Convert.ToHexString(hash).ToLowerInvariant();
// Constant-time comparison
return CryptographicOperations.FixedTimeEquals(
Encoding.UTF8.GetBytes(expectedSignature),
Encoding.UTF8.GetBytes(providedSignature));
}
private static bool TryParseSignatureHeader(string header, out long timestamp, out string signature)
{
timestamp = 0;
signature = string.Empty;
foreach (var part in header.Split(','))
{
var trimmed = part.Trim();
if (trimmed.StartsWith("t=") && long.TryParse(trimmed[2..], out timestamp)) { }
else if (trimmed.StartsWith("v1=")) { signature = trimmed[3..].ToLowerInvariant(); }
}
return timestamp > 0 && !string.IsNullOrEmpty(signature);
}
}
Python Verification
import hmac
import hashlib
import time
WEBHOOK_SECRET = os.environ['WEBHOOK_SECRET']
TOLERANCE_SECONDS = 300 # 5 minutes
def parse_signature_header(header):
"""Parse the X-LightningEnable-Signature header."""
timestamp = None
signature = None
for part in header.split(','):
trimmed = part.strip()
if trimmed.startswith('t='):
timestamp = int(trimmed[2:])
elif trimmed.startswith('v1='):
signature = trimmed[3:]
return timestamp, signature
def verify_webhook_signature(payload, signature_header, secret):
"""Verify a webhook signature with replay protection."""
timestamp, signature = parse_signature_header(signature_header)
if timestamp is None or signature is None:
return False
# Replay protection: reject if older than 5 minutes
now = int(time.time())
if abs(now - timestamp) > TOLERANCE_SECONDS:
return False
# Compute HMAC-SHA256 over "{timestamp}.{payload}"
signed_payload = f'{timestamp}.{payload}'
expected = hmac.new(
secret.encode('utf-8'),
signed_payload.encode('utf-8'),
hashlib.sha256
).hexdigest()
# Constant-time comparison
return hmac.compare_digest(signature, expected)
# Flask example
@app.route('/webhooks/lightning', methods=['POST'])
def handle_webhook():
signature_header = request.headers.get('X-LightningEnable-Signature')
payload = request.get_data(as_text=True)
if not signature_header or not verify_webhook_signature(payload, signature_header, WEBHOOK_SECRET):
return 'Invalid signature', 401
event = request.json
process_event(event)
return 'OK', 200
Handling Events
Best Practices
- Return 200 quickly - Process asynchronously if needed
- Handle duplicates - Events may be sent multiple times
- Verify signatures - Always validate HMAC
- Log everything - Keep records for debugging
Idempotency
Use the invoice/refund ID to handle duplicate events:
async function handlePaid(payload) {
const { invoiceId } = payload;
// Check if already processed
const existing = await db.orders.findOne({
lightningInvoiceId: invoiceId,
status: 'fulfilled'
});
if (existing) {
console.log('Already processed:', invoiceId);
return;
}
// Process the payment
await db.orders.updateOne(
{ lightningInvoiceId: invoiceId },
{ $set: { status: 'fulfilled', paidAt: payload.paidAt } }
);
await fulfillOrder(invoiceId);
}
Routing on status
The payload has no event field — dispatch on status:
app.post('/webhooks/lightning', async (req, res) => {
const payload = req.body; // verify the signature first — see above
switch (payload.status) {
case 'paid':
await handlePaid(payload);
break;
case 'expired':
await handleExpired(payload);
break;
default:
// processing, underpaid, etc. — log and wait for a terminal status
console.log('Payment update:', payload.invoiceId, payload.status);
}
res.status(200).send('OK');
});
Delivery & Reliability
Webhook delivery is a fast-path notification, not a guaranteed delivery channel:
- Each delivery attempt has a 10-second timeout; the first attempt fires as soon as Lightning Enable processes the provider's webhook.
- If your endpoint is down or errors, delivery is retried with exponential backoff — 30s, 60s, 120s, 240s, 480s (5 retry attempts, ~16-minute total window) — with identical payload bytes on every attempt (each attempt's
X-LightningEnable-Signatureis freshly timestamped and verifies against that same body — dedupe on payload content likeinvoiceId+status, never on the signature header) (as of the July 2026 update; earlier versions did not retry failed forwards). - After retries exhaust, the event is marked permanently failed — recover by polling.
Recovery pattern: on startup or on a schedule, reconcile any orders still pending on your side via GET /api/payments/{invoiceId} (authoritative status), or force a provider re-check with POST /api/payments/{invoiceId}/sync.
Testing Webhooks
Local Development
Use ngrok to expose your local server:
# Start your local server
npm start # Runs on http://localhost:3000
# In another terminal
ngrok http 3000
# Use the ngrok URL as your webhook endpoint
# https://abc123.ngrok.io/webhooks/lightning
Test Event
Send a test webhook to verify your endpoint:
# Generate a test signature
TIMESTAMP=$(date +%s)
PAYLOAD='{"invoiceId":"1042","orderId":"ORDER-TEST","status":"paid","amount":25.00,"currency":"USD","openNodeChargeId":"test-charge","paidAt":"2026-07-03T12:05:00Z","metadata":null}'
SIG=$(echo -n "${TIMESTAMP}.${PAYLOAD}" | openssl dgst -sha256 -hmac "your-webhook-secret" | cut -d' ' -f2)
curl -X POST https://your-site.com/webhooks/lightning \
-H "Content-Type: application/json" \
-H "X-LightningEnable-Signature: t=${TIMESTAMP},v1=${SIG}" \
-d "${PAYLOAD}"
Troubleshooting
Webhook Not Received
- Check URL - Ensure webhook URL is correct and HTTPS
- Check firewall - Allow incoming connections
- Test manually - Use curl to test your endpoint
Signature Mismatch
- Check secret - Ensure webhook secret matches what you configured
- Check encoding - Use the raw request body, not a re-serialized JSON object
- Check algorithm - Use HMAC-SHA256 over
{timestamp}.{payload} - Check header name - The header is
X-LightningEnable-Signature, notX-Webhook-Signature - Check timestamp - Ensure replay protection tolerance is at least 5 minutes
Timeout Errors
- Process async - Return 200 immediately, process in background
- Respond fast - The delivery request times out after 10 seconds
- Recover by polling - Missed a webhook?
GET /api/payments/{invoiceId}is authoritative
Security Best Practices
Always Verify Signatures
// Bad - No verification
app.post('/webhooks', express.json(), (req, res) => {
processEvent(req.body);
res.send('OK');
});
// Good - Verify signature with raw body
app.post('/webhooks', express.raw({ type: 'application/json' }), (req, res) => {
const sigHeader = req.headers['x-lightningenable-signature'];
const payload = req.body.toString('utf8');
if (!sigHeader || !verifyWebhookSignature(payload, sigHeader, WEBHOOK_SECRET)) {
return res.status(401).send('Unauthorized');
}
const event = JSON.parse(payload);
processEvent(event);
res.send('OK');
});
Use HTTPS
Always use HTTPS for webhook endpoints to prevent interception.
Validate Event Data
Don't trust webhook data blindly:
async function handlePayment(data) {
// Verify with API
const payment = await getPayment(data.invoiceId);
if (payment.status !== 'paid') {
throw new Error('Payment not actually paid');
}
// Now safe to fulfill
await fulfillOrder(payment.orderId);
}
Next Steps
- Payments API - Create payments
- Errors - Error handling
- Rate Limiting - API limits