EBANX sends a notification each time a payment status changes, which consists of an HTTP POST to an URL specified on the merchant area.

The following parameters are sent:


It’s also possible that is sent an an array of hashes separated by commas:





The value is always payment_status_change.



Event that triggered the notification:

  • update: the payment status has changed from PE to CO or CA.
  • chargeback: a chargeback was issued for this payment.
  • refund: a refund was issued for this payment.
  • chargeback_credit: a chargeback credit was issued for this payment.



A single hash or an array of hashes separated by commas.

After receiving the notification, you should call the API method query to fetch the current payment status, and then use it to process the payment on your system.

When you finish processing the notification, you must output a response (it can be any string) to indicate that it was processed correctly. Otherwise, the notification will be sent again.

All the notifications will be logged, and you can keep track of them in the merchant area by going to Integration > Notification Log.

Notification signature

EBANX signs every notification request using a private certificate and send the signature in the HTTP headers. The merchant can verify if the request really came from EBANX by validating the digital signature using our public certificate.

The available certificates and their fingerprints are shown on the table below:


EBANX will send the following headers in the notification request:

X­-Signature­Type: rsa,sha1
X­-Signature­Fingerprint: 4ABAD89CF66B99998465470550EB15E3E271A246
X-­Signature­Content: xh5hstzZt5Rf5ihNzbfFfkmN89askd...DrHJAnzHgaf2vzA==


The signing algorithm. EBANX will always use RSA/SHA1.


The signature fingerprint. It indicates which certificate was used to sign the notification.


The signed payload, encoded as a Base64 string.

The signature can be validated in PHP as follows:

$cert      = file_get_contents('ebanx-notifications-public.pem');
$data      = file_get_contents("php://input");
$signature = base64_decode($_SERVER['HTTP_X_SIGNATURE_CONTENT']);

// http://php.net/manual/en/function.openssl-verify.php
$result = openssl_verify($data, $signature, $cert);

if ($result === 1)
  echo "OK, signature is correct.";
  echo "ERROR, the signature is incorrect.";