Skip to main content

Webhooks

Webhooks

Thepeer utilizes webhooks to send data for certain events. One of these events is when a business is on the receiving end of a transaction. We notify the business via webhook on this occasion.


Another event is when a user is about to charge their wallet. We send an authorization payload via webhook to the business for authorization of the charge.


Prerequisite

To be able to receive messages from Thepeer via webhook, we would need your webhook URL.


To enter your webhook URL on your Thepeer dashboard, navigate to the Settings page and click API Keys & Webhooks on the tab menu.


Enter your webhook URL in the input field and click Save Information.


Screenshot of Thepeer's settings page with webhook options enabled

The Retry webhook check indicates to Thepeer to keep sending webhook messages until you successfully verify them.

    You must set your webhook URL on your business dashboard in order to receive webhook notifications.

Webhook Verification

Valid webhook requests contain a x-thepeer-signature header, which is a hex-encoded HMAC SHA1 signature of the request body or a x-business-hash which returns the value set by the business on the dashboard.


Steps to Verify a Webhook

  1. Sign the request body with HMAC SHA1 using your Thepeer secret key.
  2. Compare the result with the value of the x-thepeer-signature header. If they match, then the request is indeed from Thepeer, and then you can return a 200.

Here’s an implementation in php:


php
<?php
  $signature = hash_hmac('sha1', '{"message":"test signing"}', 'YOUR_SECRET_KEY');
  if ($signature === $_SERVER['X-Thepeer-Signature']) {
    // return status 200
  } else {
    // return status 406
  }
?>
    You must return status 200 if a webhook verification is successful.Thepeer will retry 10 times at 5 minute intervals.

Webhook hash

You also have the option to set a secret hash. Since webhook URLs are publicly accessible, the secret hash allows you to verify that incoming requests are from Thepeer. You can specify any value as your secret hash, but we recommend something random. You should also store it as an environment variable on your server.


If you specify a secret hash, we'll include it in our request to your webhook URL, in a header called x-business-hash. In the webhook endpoint, check if the x-business-hash header is present and that it matches the secret hash you set. If the header is missing, or the value doesn't match, you can discard the request, as it isn't from Thepeer.


Retry Webhook

At times, webhooks may fail to deliver, requiring manual retries via the dashboard.


Exercise caution to avoid double crediting users. Implement safeguards to prevent unintended consequences of these retries.