PayZuPayZu Docs

Webhooks

PayZu's webhook system sends real-time notifications about status changes for your transactions. When you create a transaction and provide a callbackUrl, our system sends updates to that URL every time the status changes.

What is a webhook (callback)

A webhook (also called a callback) is a POST request that PayZu sends to your server when something happens. Unlike the regular API (where you call PayZu), here it's the opposite: PayZu calls you.

Think of a Pix charge. You created it, displayed the QR to the customer, and now you need to know when the customer pays. Two options:

  1. Polling, keep asking every X seconds "paid yet? paid yet?" (costly, slow, unnecessary).
  2. Webhook, let PayZu notify you as soon as the payment arrives (instant, efficient, recommended).

How to configure

There is no separate endpoint to "register a webhook". The URL is provided on each transaction created, in the callbackUrl field of the body:

{
  "amount": 99.90,
  "callbackUrl": "https://yoursite.com/webhooks/payzu",
  "clientReference": "order-2025-001"
}

PayZu will send the callback to that URL every time that transaction changes status (PENDING → COMPLETED, COMPLETED → REFUNDED, etc).

Create a public endpoint on your server

Somewhere accessible over the internet that accepts POST with JSON. Examples: https://yoursite.com/webhooks/payzu, https://api.yourcompany.com/payzu/callback.

During local development, use tunnels like ngrok or Cloudflare Tunnel to expose localhost.

Pass the URL when creating the transaction

On every POST /pix, POST /withdraw, POST /internal-transfer, include the callbackUrl field. It can be the same URL for all of them.

Implement the handler

Receive the POST, read the JSON, process it and respond 2xx within 5 seconds. See examples in Receive Pix · step 3.

Required header on the POST sent by PayZu: Content-Type: application/json.

Retry system

PayZu's webhooks have a robust retry system that ensures delivery even during temporary failures. PayZu resends up to 72 times the same callback with exponential backoff and jitter, better distributing the load and avoiding request spikes.

Response time: the webhook must respond with HTTP 200 OK within 5 seconds. If it exceeds this time, the system considers it a timeout and starts the retry process.

Security

To ensure integrity and security, restrict access to your webhook endpoint. Request PayZu Processamento's official IP from support and accept callbacks only from that origin.

Payload fields

Identification

FieldTypeDescription
idstringTransaction ID
clientReferencestringExternal reference you provided
virtualAccountstringVirtual subaccount (up to 50 characters). Returns in the callback to correlate stores, branches, marketplaces.
callbackUrlstringURL configured to receive this webhook

Status and values

FieldTypeDescription
statusstringPENDING, COMPLETED, CANCELED, WAITING_FOR_REFUND, REFUNDED, EXPIRED, ERROR
typestringDEPOSIT, WITHDRAW, INTERNAL_TRANSFER
amountnumberAmount in BRL
serviceFeeChargednumberFee charged

Generated charge (deposit)

FieldTypeDescription
qrCodeTextstringPix copy-and-paste code
qrCodeUrlstringQR Code image URL
qrCodeBase64stringQR Code image in Base64 format
generatedNamestringReference name
generatedDocumentstringCPF or CNPJ
generatedEmailstringEmail linked to the transaction

Payer

FieldTypeDescription
payerNamestringPayer's name
payerDocumentstringPayer's document
payerInstitutionIspbstringISPB of the payer's bank
payerInstitutionNamestringPayer's bank name
payerAccountNumberstringPayer's PayZu account (6 digits). Present only on internal transfers.

Receiver

FieldTypeDescription
receiverNamestringReceiver's name
receiverDocumentstringReceiver's document
receiverInstitutionIspbstringISPB of the receiver's bank
receiverInstitutionNamestringReceiver's bank name
receiverAccountNumberstringReceiver's PayZu account (6 digits). Present only on internal transfers.

Withdrawal via Pix key

FieldTypeDescription
withdrawPixKeystringPix key used in the withdrawal
withdrawPixTypestringcpf, cnpj, phone, email, evp

Settlement and refund

FieldTypeDescription
endToEndIdstringPix EndToEnd ID
paidAtstringPayment timestamp (ISO 8601)
cancellationReasonstringCancellation reason
refundEndToEndIdstringRefund EndToEnd ID
refundAmountstringRefunded amount
refundStatusstringPENDING, COMPLETED, CANCELED
refundReasonstringRefund reason
refundDescriptionstringRefund description
refundedAtstringRefund timestamp (ISO 8601)

Timestamps

FieldTypeDescription
createdAtstringCreation timestamp (ISO 8601)
updatedAtstringUpdate timestamp (ISO 8601)

Infraction (Pix dispute)

FieldTypeDescription
infractionobjectInfraction details when opened (see MED)

Best practices

  • Respond fast: return 2xx in under 5s. Process heavy work in queues/workers, not in the handler.
  • Idempotency: store id + status to deduplicate. The same callback may arrive more than once (retries, successive changes).
  • Use clientReference: pass an external identifier when creating the transaction. It returns in the callback and makes it easier to correlate with your order.
  • Restrict by IP: only accept callbacks from PayZu's official IP.

Inspection and resend

The API exposes the full list of callbacks sent:

Infrações (MED)

O MED é o processo do Bacen para contestar Pix em casos de fraude ou erro do pagador. Quando uma cobrança recebida vira disputa, a PayZu cria uma infração e você tem prazo curto para responder com defesa.

Boas práticas

Padrões testados em produção que separam uma integração que dura uma semana de uma que aguenta produção. Idempotência, multi-tenant, callbacks, paginação, dinheiro, segurança, tratamento de erros e checklist final.

On this page

What is a webhook (callback)How to configureCreate a public endpoint on your serverPass the URL when creating the transactionImplement the handlerRetry systemSecurityPayload fieldsIdentificationStatus and valuesGenerated charge (deposit)PayerReceiverWithdrawal via Pix keySettlement and refundTimestampsInfraction (Pix dispute)Best practicesInspection and resend