KobbopayB2B payment infrastructure
Request access
KobbopayB2B payment infrastructure

Developers

Server-to-server integration hub

Kobbopay is designed for server-to-server integrations: your backend creates payments, consumes signed webhooks, and reconciles using explicit lifecycle semantics. Start with integration docs for a CTO-friendly overview, then request access for environment-specific materials after merchant approval.

Read integration docsOnboarding expectations

Environment-specific materials after review: Request access.

Integration principles

  • Server-side API keys: never embed API keys in client apps, public repos, or support tickets.
  • Payment lifecycle: treat statuses as contractually meaningful — do not collapse Paid and Confirmed if your accounting depends on confirmations.
  • Signed webhooks: verify signatures using the raw received body bytes so you match the signed string exactly.
  • Retry-aware consumers: webhook delivery can retry; make handlers idempotent using stable identifiers such as payment_id.
  • Public payment status: a read-only public payment view can support payer-facing status pages — without exposing merchant secrets.

Signed callbacks: verify on raw bytes, then update internal state idempotently—retries are normal.

Figure: signed webhook path from event emission to durable merchant-side processing.

Retries: treat duplicate deliveries as expected. Deduplicate using a stable event identifier when available, otherwise payment_id plus a derived transition key from the payload.

Example: create a payment

Placeholders only. Replace host, headers, and payload fields with values appropriate to your approved environment and enabled rails.

HTTP request (illustrative)
curl -sS -X POST "https://api.example.com/v1/payments" \
  -H "Content-Type: application/json" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{
    "amount": 10.5,
    "currency": "USDT",
    "network": "example-network",
    "orderId": "order-123"
  }'

Example: webhook verification (sketch)

Your production verifier must match the exact signing contract used by your Kobbopay deployment. Treat this as a pattern, not a substitute for official docs.

Node.js sketch (illustrative)
// Verify HMAC over the raw JSON body bytes (example shape only)
const crypto = require("crypto");

function verifyWebhook(rawBody, signatureHeader, secret) {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex");
  // Production: enforce equal buffer lengths before timingSafeEqual
  return crypto.timingSafeEqual(Buffer.from(signatureHeader), Buffer.from(expected));
}

// secret = YOUR_WEBHOOK_SECRET (never ship to browsers)

Docs roadmap

Public OpenAPI / reference docs and stable anchors will ship after the integration kit stabilizes for external citation. This marketing site now hosts a conservative /docs overview so teams can align on concepts before contacting us.

Request access

Related: Integration docs · Guides · Glossary · Security · Features