- 1 Webhooks FAQ
- 1.1 Q. What are Webhooks?
- 1.2 Q. How is it different from Redirection?
- 1.3 Q. How can the Webhook feature benefit me?
- 1.4 Q. How is the Message Authentication Code generated?
- 1.5 Q. How is the Message Authentication Code useful and do I need to use it?
Q. What are Webhooks?
Q. How is it different from Redirection?
Using ‘webhook’, you can issue a call to your server with a list of key variables with all transaction details. The data is sent as POST variables.
The Webhook and Custom URLs can be different and you can use both the features independently.
For custom redirect, only a URL has to be specified in offer details, while webhook feature needs some integration for the seller after specifying the Webhook URL (screenshot below).
So with Webhook, Instamojo now elegantly offers the functionality of sending information to your server after every successful purchase.
Q. How can the Webhook feature benefit me?
1. Sending a custom email from your server at the end of every successful transaction
2. Activation of a user’s account on your service
3. Sending a user the license key to your software
4. Adding a user to your CRM software
5. Adding the transaction to your accounting software
Q. How is the Message Authentication Code generated?
We create a list of all values from the key-value pairs we’re about to send in the POST request and sort them in the order of their keys. We then concatenate all these values together, separated by a pipe (|) character. We then use the HMAC-SHA1 algorithm to generate the signature. The HMAC key for the signature generation is the secret salt from the user’s profile (please contact firstname.lastname@example.org to share the URL to which you would like the POST request to be sent to and to gain access to your secret salt).
Q. How is the Message Authentication Code useful and do I need to use it?
In short, using MAC is optional, but recommended as a security feature.
Sample code in Python
import hmac import hashlib # 'd' is the dictionary that corresponds to the POST request # 'salt' is the key for the HMAC algorithm mac_provided = d.pop(mac) message = '|'.join(str(i) for i in zip(*sorted(d.iteritems()))) mac_calculated = hmac.new(salt, message, hashlib.sha1).hexdigest() if mac_provided == mac_calculated: # MAC is authenticated, proceed with fulfillment else: # MAC authentication failed, deny fulfillment, inform Instamojo