Balady BNPL Integration
2026
Buy-Now-Pay-Later integration with a leading Saudi bank in the Unified Payment Page. Multi-provider architecture with signed-webhook security stack (HMAC-SHA256, IP allow-list, replay protection, idempotency) and encrypted single-use presigned URLs.
The problem
Citizens want to spread payments for higher-value Balady services (e.g. permit fees, infringement settlements). Integrating with a Buy-Now-Pay-Later provider opens two attack surfaces simultaneously:
- Webhook ingest — the bank pushes payment-status events into Balady’s network. Anyone who can forge a request could maliciously mark a debt as paid.
- Presigned redirect URLs — citizens are sent off-domain to complete the BNPL flow. A leaked URL can be replayed by an attacker.
The architecture
Multi-provider design — the launch bank is the first integrated provider but the contract is generic, so additional providers slot in without rework.
Signed-webhook security stack at Apigee:
- HMAC-SHA256 signature verification against the shared secret
- IP allow-list restricting traffic to the bank’s known egress ranges
- Replay protection via a sliding-window nonce store
- Idempotency keys — a webhook seen twice has no double effect
The HMAC signature is verified at the gateway and re-checked independently at the service — defence in depth, so a request that slips past the edge is still rejected at the core. A BNPL request also captures an invoice snapshot with a TTL, so retries, double-taps, and webhook re-deliveries converge on the same single-use redirect rather than creating duplicates.
Encrypted single-use presigned URLs with double-validation:
- The URL is signed AND encrypted, so its contents (citizen-id, amount, reference) cannot be inspected or modified
- Validated once at the Unified Payment Page (front side) AND once at the callback (back side) — both validations must agree
Pattern view — four webhook checks at the gateway; redirect URLs encrypted and validated on both sides.
Runtime
ASP.NET Core (horizontally scaled, stateless replicas), a highly-available Redis tier backing the cache-first read paths and the replay-protection nonce store, and an asynchronous event bus that publishes payment-status events to downstream service consumers. A small, well-defined set of integration flows covers eligibility checks, BNPL request creation, asynchronous webhook status updates, and status queries.
Graceful degradation — read paths are cache-first, and a circuit breaker on the provider falls back to the last-known status from the database; a response header tells the caller whether the data is live, cached, or stale, so consumers never mistake a fallback for a fresh result.
Outcome
A defensible BNPL surface for the Balady estate. The webhook security stack is now the template for any other bank that joins the Unified Payment Page.