What is a payment webhook?
A server-to-server message the gateway sends your backend when a payment's status changes. It's the source of truth for whether you were actually paid, not the browser redirect.
After a payment, two things happen: the customer's browser is redirected back to your site, and the gateway's server sends your server a webhook (some Malaysian providers call it a callback). The redirect can be faked, abandoned or replayed; the signed webhook cannot, so fulfilment must key off the webhook alone.
A safe handler verifies the signature, checks the amount and currency against your own pending record, marks the order paid exactly once, and returns success. Everything else, including redirect pages, is presentation.