Skip to main content

Notifications — Getting Started

Quick summary

The Connected Payments Notification service sends server-to-server postbacks (webhooks) to your endpoint whenever a transaction event occurs. Use them as the authoritative source for payment outcomes — not client-side redirects or PostMessages.

How it works

You configure one or more notification rules in the Connected Payments dashboard, each pointing to an endpoint URL. Rules can be broad (all transactions) or conditional (specific response codes, amounts, merchant references, etc.). When a matching transaction occurs, Connected Payments POSTs the transaction data to that URL as a JSON body.

Common rule examples

Use caseDescription
All transactionsSend every transaction to your backend for logging and reconciliation
Declined onlyNotify only when a transaction is declined (e.g. response code ≠ 00)
High value alertsAlert on transactions above a certain dollar amount
Route by referenceRoute notifications to different endpoints based on merchant reference prefix
Important

Your endpoint must return an HTTP 200 OK to acknowledge receipt. Any other response — or a timeout — is treated as a failure and the notification will be retried. See Notification Re-Attempts for the retry schedule.

Always use notifications as authoritative source

Always use notifications as the authoritative source for payment outcomes. Client-side responses (redirects, PostMessages) can be blocked or manipulated by the browser and should only be used for UI feedback.

Authentication

All API requests to create or manage notification rules use userName and password in the JSON body. These are the same credentials used across other Connected Payments APIs.

{
  "userName": "your-username",
  "password": "your-password"
}

Authentication rules

RuleDescription
Content-TypeInclude Content-Type: application/json on every request
HTTPS onlyUse HTTPS only — HTTP requests are rejected
Case sensitivityUsernames are not case-sensitive; passwords are
SecurityNever pass credentials as URL parameters or in logs
Credential sets

You receive two credential sets at account setup: one for sandbox (username prefixed with TEST) and one for production. Use sandbox credentials when developing and testing — no real transactions or notifications will be sent to live systems.

For alternate authentication methods: Authentication Methods

Validating incoming notifications

Because your notification endpoint is publicly accessible over HTTPS, it is your responsibility to verify that incoming requests genuinely originate from CommBank Connected Payments and have not been spoofed. Use one or both of the following methods — using both together provides the strongest security.

Method 1: IP whitelisting

CommBank Connected Payments sends notifications from static IP addresses per environment. Resolve these using an NS lookup and add them to your firewall allowlist:

EnvironmentDomain
Sandboxsimulation-notifications.connectedpayments.commbank.com.au
Productionnotifications.connectedpayments.commbank.com.au
Use domain names

Use the domain names in your allowlist rather than hardcoded IPs — IP addresses may change with advance notice, but the domains will always resolve to the current correct addresses.

# Resolve current IP addresses for your firewall rules
nslookup simulation-notifications.connectedpayments.commbank.com.au   # Sandbox
nslookup notifications.connectedpayments.commbank.com.au              # Production

Configure your firewall or security group to allow inbound HTTPS traffic from these resolved addresses on port 443.