Testing End-to-End

Run a full payment in test mode and confirm the webhook is delivered and verified — no real money.

Test mode uses sandbox credentials, so no real money moves. A successful payment still settles the transaction and forwards a signed webhook to your route's Webhook URL — so you can exercise the whole loop end-to-end.

What You Need

  • A receiver for the webhook — a quick webhook.site URL just to see it arrive, or a small endpoint running the SDK verifier (exposed with ngrok / cloudflared in local dev).
  • An app in Test mode. Open the route and set its Webhook URL to your receiver.
  • The route's Signing Secret (Route info → Webhook signing secret, whsec_…) to verify with, and an API key if you'll call the API.

Fastest: Pay on Delivery

The simplest fully-local path — no external provider. It still fires a real signed payment.success webhook:

  • Create a payment with allowPayOnDelivery: true and currency: "htg" — via the Test Payment dialog on the route page, or POST /api/init-payment.
  • Open the returned /pay/<token> URL, choose Pay on Delivery — the order is placed (pending).
  • In the dashboard, open that transaction and click Collect. It flips to success and the signed webhook is delivered to your receiver.

Moncash Sandbox

To exercise the real provider path, pick Moncash at checkout and complete the payment on the Moncash sandbox screen. On success, Moncash calls back the platform, which settles the transaction and forwards the signed webhook.

Local dev needs a tunnel

The Moncash sandbox callback must reach your running app, so put a tunnel in front of pnpm dev (e.g. ngrok http 3002) and point your return URLs at it. A webhook.site receiver works without tunneling your app, but the provider → platform callback still needs the platform reachable.

Verify the Webhook

At your receiver, verify the forwarded request with the SDK — see Verifying Webhooks. Before the full flow, you can sanity-check your verifier and secret by signing a payload yourself:

import { createHmac } from "node:crypto";
import { verifyWebhook } from "icone-pay-sdk";

const secret = process.env.ICONEPAY_SIGNING_SECRET!; // whsec_...
const body = JSON.stringify({ event: "payment.success", orderId: "test" });
const t = Math.floor(Date.now() / 1000);
const v1 = createHmac("sha256", secret).update(t + "." + body).digest("hex");

const event = verifyWebhook(body, "t=" + t + ",v1=" + v1, secret);
console.log(event.event, event.orderId); // → payment.success test

Two gotchas

Verify against the raw body (no re-serialization) and the route's whsec_ secret, or the signature won't match.

Confirm It Worked

CheckWhere
Payment passedTransaction shows success on the route / Overview tabs
Webhook deliveredYour endpoint received it (return 2xx); the Webhooks tab lists failed/retrying ones with a Resend button
Verified correctlyverifyWebhook returns the event instead of throwing WebhookVerificationError