Handling Webhooks
When a customer completes a hosted checkout, MMG sends an asynchronous callback to your server with the payment result.
Because SDKs are strictly client-side tools, the SDK does not include a callable function to “receive” this webhook. Instead, your backend must act as a server to listen for the incoming request.
However, the Python SDK does provide strictly-typed Pydantic models for the webhook payloads, which integrate seamlessly with modern frameworks like FastAPI.
FastAPI Implementation
The following example demonstrates how to create a webhook listener using FastAPI and the SDK’s generated Pydantic models (CheckoutCallbackRequest and DecryptedCheckoutResponse).
By using CheckoutCallbackRequest as the route’s payload type, FastAPI will automatically validate that the incoming MMG request contains the required token field.
Security Best Practices
- Keep your Private Key secure: Never hardcode your RSA private key in your application code. Always load it securely via environment variables or a secret manager.
- Dynamic Webhook URLs: When you initiate the checkout, you pass a dynamically generated webhook URL to MMG (e.g.,
https://api.yourdomain.com/mmg-sdk/callback/{hash}). Ensure this{hash}is difficult to guess and mapped to the specific checkout session in your database to prevent replay attacks. - Idempotency: Webhooks can sometimes be delivered more than once. Ensure your database logic checks if a
merchantTransactionIdhas already been processed before fulfilling an order.

