> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mag3nt.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Paymentsettled event delivered to your endpoint

> Sent when a pay link settles. Verify the `X-mag3nt-Signature` header
(`t=<unix>,v1=<hmac-sha256(secret, "${t}.${rawBody}")>`) using your
webhook secret before trusting the payload. Respond 2xx to acknowledge;
non-2xx responses are retried with backoff. The `X-mag3nt-Event-Id`
header is stable across retries for idempotency.

Verify against the RAW request body (the exact bytes received), not a
re-serialized object. Use a constant-time comparison and reject events
whose timestamp is outside a tolerance window to block replays.

TypeScript / Node:

```ts
import { createHmac, timingSafeEqual } from "node:crypto";

export function verifyReceipt(
  secret: string,
  rawBody: string,
  signatureHeader: string,
  toleranceSec = 300,
): boolean {
  const parts = Object.fromEntries(
    signatureHeader.split(",").map((kv) => {
      const i = kv.indexOf("=");
      return [kv.slice(0, i).trim(), kv.slice(i + 1).trim()];
    }),
  ) as Record<string, string>;
  const t = Number(parts.t);
  const v1 = parts.v1;
  if (!t || !v1) return false;
  if (Math.abs(Math.floor(Date.now() / 1000) - t) > toleranceSec) return false;
  const expected = createHmac("sha256", secret)
    .update(`${t}.${rawBody}`)
    .digest("hex");
  const a = Buffer.from(expected);
  const b = Buffer.from(v1);
  return a.length === b.length && timingSafeEqual(a, b);
}
```

Python:

```python
import hmac, hashlib, time

def verify_receipt(
    secret: str, raw_body: str, signature_header: str, tolerance_sec: int = 300
) -> bool:
    try:
        parts = dict(p.split("=", 1) for p in signature_header.split(","))
        t = int(parts["t"])
        v1 = parts["v1"]
    except (KeyError, ValueError):
        return False
    if abs(int(time.time()) - t) > tolerance_sec:
        return False
    expected = hmac.new(
        secret.encode(), f"{t}.{raw_body}".encode(), hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, v1)
```




## OpenAPI

````yaml /openapi.yaml webhook payment.settled
openapi: 3.1.0
info:
  title: mag3nt API
  version: '2026-06-04'
  description: >
    Payment infrastructure for AI agents. Issue virtual cards, pay for API
    access via x402/AP2/MPP protocols, and settle in USDC on Base.
  contact:
    name: mag3nt
    url: https://mag3nt.com
  license:
    name: Proprietary
    url: https://github.com/mag3nt-com/mag3nt-node/blob/main/LICENSE
servers:
  - url: https://mag3nt.com
    description: Production
security:
  - ApiKeyAuth: []
tags:
  - name: Payments
    description: Universal outbound protocol payments
  - name: Cards
    description: Virtual payment card lifecycle
  - name: Keys
    description: Developer API key management
  - name: Funding
    description: Treasury deposits and balances
  - name: x402
    description: HTTP 402 payment protocol
  - name: AP2
    description: Agent-to-Agent Payment Protocol
  - name: MPP
    description: Micropayment Protocol with streaming
  - name: Pay Links
    description: Shareable payment URLs
  - name: Withdrawals
    description: Withdraw unspent funds back to wallet
  - name: Settlement
    description: On-chain settlement status
  - name: Webhooks
    description: Signed payment.settled notifications for sellers
  - name: Status
    description: System health and configuration
externalDocs:
  description: mag3nt documentation
  url: https://docs.mag3nt.com
paths: {}
components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: Authorization
      description: API key prefixed with 'Bearer sx_live_...'

````