Take a card payment with Checkout.com and verify incoming webhooks

Verified steps

1. Create a payment by posting to POST /payments on the Checkout.com Unified Payments API with 'source.type' of 'card' (for raw PAN, requires SAQ-D or a vault token from Frames.js), 'amount' as integer minor units, 'currency' as ISO 4217 uppercase, and 'processing_channel_id' identifying your business.
2. If the response 'status' is 'Pending' and '_links.redirect.href' is present, redirect the cardholder to complete 3DS; if status is 'Authorized', the payment succeeded without challenge.
3. Configure a webhook endpoint in the Checkout.com dashboard and subscribe to 'payment_approved', 'payment_declined', 'payment_captured', and 'payment_refunded' event types.
4. When a webhook arrives, extract the 'authorization' header value — this is an HMAC-SHA256 signature computed by Checkout.com using your webhook signature key over the raw request body.
5. Verify: compute HMAC-SHA256 of the raw request body bytes using your webhook secret, base64-encode the result, and compare to the 'authorization' header value with a constant-time comparison.
6. After verification, read 'data.id' (the payment ID) and 'type' to determine the event; call GET /payments/{id} to fetch the canonical payment state before acting on it.