Overview

Receive real time notifications of payments, subscriptions, and much more.

Webhooks enable you to receive notifications upon certain webstore events, for example when a new payment is made. We will send a HTTP request containing a JSON object to any configured endpoints that are subscribing to the respective event. Webhooks are a great way to integrate Tebex with your own website, forum or internal database.

How To Setup Webhooks Endpoints

  1. Go to Developers > Webhooks > Endpoints.

  2. Click Add Endpoint.

  3. Enter the URL of your webhook endpoint.

  4. Select the types of webhooks that you'd like to subscribe to.

  5. Click Add.

After adding your endpoint, you will receive a warning to inform you that we haven't been able to validate endpoint. Please see the section below for further information about handling validation webhooks.

Handling Validation Webhooks

Webhooks will not be sent to an endpoint unless it has been validated first. This is to ensure we are not sending HTTP requests to URLs that are not expecting our webhooks.

The validation webhook that we send will look similar to the example below. To identify a validation webhook you can check the type property in the JSON body.

{
  "id": "2c116b11-1110-91e0-b266-b792c8da5f11",
  "type": "validation.webhook",
  "date": "2021-08-24T12:21:47+00:00",
  "subject": {}
}

Upon receiving a validation webhook you must respond with a 200 OK response containing a JSON object that has an id property representing the validation webhook's ID, please see the example response below.

{
  "id": "2c116b11-1110-91e0-b266-b792c8da5f11"
}

Once your endpoint is setup to successfully handle validation webhooks, please visit Developers > Webhooks > Endpoints and click the Validate button next to the endpoint to re-send the validation webhook.

Verifying Webhook Authenticity

IP Address

Webhooks from Tebex will only ever be sent from the two IP addresses listed below.

18.209.80.3 54.87.231.232

When building your webhook endpoint, we suggest that you check the IP address of the sender and throw a 404 Not Found error if the IP address isn't in the above list.

Signature

In addition to checking the IP address, we strongly advise that you verify the X-Signature header that we send with all requests.

The signature is generated by SHA256 hashing the JSON body and then building a SHA256 HMAC with the body hash as the data/content and your webhook secret as the key.

Your webhook secret is displayed on the Developers > Webhooks > Endpoints page. Please see our example code snippets below of how to generate the signature.

$json = file_get_contents('php://input');
$secret = "0d45982a10e3a072d0c1261c55dd9918";
$signature = hash_hmac('sha256', hash('sha256', $json), $secret);

If the signature that you generate doesn't match the X-Signature header, please disregard the webhook because it is not from Tebex.

Some frameworks such as Express (Node.js) automatically parse JSON request bodies which can result in a signature mismatch. Please ensure the signature is calculated using the raw request body and not a parsed version of the body.

Handling Webhooks

All of our webhooks are sent using the standardised format with the following properties:

id: This property represents the unique ID of the webhook. type: The type of webhook we are sending, for example payment.completed. date: This is the date that the webhook was generated. subject: The data within this property will differ depending on the type of webhook. To view the different subject formats please see the subject types below.

When handling a webhook, please ensure you respond with a 2XX status code (anywhere between 200-299). If your endpoint responds with any other status code we will automatically try to resend the webhook later-on.

After several attempts of retrying we will mark the webhook as failed and your endpoint may require validating again.

Webhook Types

  • payment.completed

  • payment.declined

  • payment.refunded

  • payment.dispute.opened

  • payment.dispute.won

  • payment.dispute.lost

  • payment.dispute.closed

  • recurring-payment.started

  • recurring-payment.renewed

  • recurring-payment.ended

  • recurring-payment.cancellation.requested

  • recurring-payment.cancellation.aborted

  • validation.webhook

Webhook Subjects

Useful Status IDs

Decline Reasons

Testing Webhooks

Our webhook testing feature allows you to manually trigger webhooks from your control panel. Please follow the steps below to send a test webhook.

  1. Navigate to Developers > Webhooks in your control panel.

  2. Click the Send Test button.

  3. Choose the type of webhook you'd like to send.

  4. Provide a valid transaction ID if you've selected a payment webhook type, or enter a recurring payment reference if you've chosen a recurring payment webhook type.

  5. Click the Send Test button.

Last updated