WEBHOOKS

Bank of Georgia callbacks

Bank of Georgia sends signed callbacks to CodeOn for card-payment state changes. CodeOn verifies the raw body before parsing, records the event, and applies the payment state machine to the matching order.

Method: POST
Path: /api/payments/bog/callback

Signature verification

Read the raw request body bytes. Do not parse and re-stringify before verification.
Read the Callback-Signature header.
Verify the signature with the configured Bank of Georgia callback public key.
Only parse JSON after the signature passes.

Order matching

CodeOn first tries body.external_order_id, which is the CodeOn order UUID sent when creating the BoG order. If that is missing, it falls back to BoG's body.order_id stored on the order.

Idempotency

Every verified event is stored with an idempotency key equal tosha256(rawBody). Duplicate callback deliveries become no-ops at the database layer. The state machine is also idempotent so repeated callbacks converge on the same final order state.

Response semantics

Case	HTTP	Why
Invalid signature	401	The payload cannot be trusted and no order can be safely identified.
Verified but non-JSON	200	Log and ignore; retrying the same bad signed payload is not useful.
Verified unknown order	200	Log for review; BoG should not retry forever.
Verified known order	200	Persist event and apply state. If state application fails, the durable event remains available for admin review.

Signature verification

Read the raw request body bytes. Do not parse and re-stringify before verification.
Read the Callback-Signature header.
Verify the signature with the configured Bank of Georgia callback public key.
Only parse JSON after the signature passes.

Response semantics

Case	HTTP	Why
Invalid signature	401	The payload cannot be trusted and no order can be safely identified.
Verified but non-JSON	200	Log and ignore; retrying the same bad signed payload is not useful.
Verified unknown order	200	Log for review; BoG should not retry forever.
Verified known order	200	Persist event and apply state. If state application fails, the durable event remains available for admin review.