The request
Reap sends aCARD_AUTHORIZATION_REQUEST as a signed HTTPS POST to your registered endpoint. It carries the same { id, type, data } envelope and X-Reap-Webhook-* headers as every other Reap webhook, so you can verify the signature - over the raw request bytes - and route it through the same code path. The one difference is that Reap consumes your HTTP response as the decision.
The body is the envelope: type is always CARD_AUTHORIZATION_REQUEST and data carries the authorization payload.
data fields:
The payload is a subset of the card transaction resource and reuses its field names, types, and enums. The generated
CARD_AUTHORIZATION_REQUEST webhook reference is the authoritative schema - build your integration against it. For the shared formats of channel, digitalWallet, and merchant, see the card transaction resource.
Your response
Respond with200 and a JSON body carrying your decision. The body is a discriminated object keyed on decision.
To approve:
reason:
These are the only reasons you return. Card and account state declines are decided by Reap before you are called, so they are not yours to return. The decision object is intentionally small so it can gain options later, such as partial approval, without breaking your integration.
Responding in time
You must return a decision within 1.6 seconds. The card network does not wait, and there is no retry on the live transaction. Reap fails closed. If your endpoint times out, is unreachable, returns a non-2xx status, or returns a body Reap cannot parse, Reap declines the transaction. The cardholder sees a generic decline (INTERNAL_ERROR), so keep your endpoint highly available and monitor it. Reap records the underlying cause on its side for support.