Webhooks

We have various webhooks you can attach to from our webhooks page in the dashboard at https://giftup.app/integrations/api/webhooks

  • Order created
  • Gift card created
  • Gift card updated
  • Gift card redeemed

Testing your endpoint

Before we create a webhook subscription, we will test the provided URL by POSTing a test payload:  { "test": true } to it. You must respond with a 200 response.

Verifying calls are made by us

When we post data to your webhook, we will sign each request to your endpoint with the secret you specified when creating the webhook. This is so that you can ensure that it is Gift Up! that is posting data to you, and not a malicious third party.

The signature is contained in an HTTP header: 

X-Request-Signature-Sha-256: t=1561465443462, sha256=16f67da1bcd72f87dd95534baa0223a450b68 cca122d46dd017074375220b13c

The header contains a timestamp (Unix timestamp in milliseconds) and the signature. The timestamp is prefixed with  t= and the signature is prefixed with sha256=

  1. Split the header using the , character, this will separate the timestamp from the signature. Split each element on  = , to give you key and value.
  2. Prepare the signature to be compared. This is achieved by appending the timestamp to the end of the payload string.
  3. Compute a HMAC with the SHA256 hash function, using the secret you provided for the webhook.
  4. Compare the signature in the header, with the expected signature you calculated in 3.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us