Docs › › Webhooks
Last updated: 16 Dec 2019 / 3:33 PM / GMT
With Webhooks you can build or setup Applications which are subscribed to certain events in the InPlayer platform. When such events get triggered, we will send a HTTP POST requests with specific payloads to the Webhook’s configured URL.
Webhooks are usually used to update or create platform action/operation tracker, trigger marketing campaigns, sync data between platforms or to fetch results of operations in backend applications.
Webhooks can be installed on a merchant account by setting up Webhook URLs and select specific events that you will like to receive.
When configuring a Webhook, you can choose one, or part of the events that you would like to receive payloads for. You can even opt-in to all known InPlayer events.
||Any time any event is triggered (Wildcard Event).|
||External payment sale operation succeeded|
||External payment sale operation failed|
||External subscription succeeded|
||External subscription failed|
||External subscription update succeeded|
||External subscription update failed|
||External subscription cancellation succeeded|
||External subscription cancellation failed|
||External payment refund operation succeeded|
||External payment refund operation failed|
||Billing subscription created|
||Billing subscription cancelled|
||Billing subscription failed|
||Billing subscription cancellation failed|
||Billing subscription expired|
||Billing subscription updated|
||Free asset access was given|
||Free asset access failed|
||Payment sale with card succeeded|
||Payment sale with card failed|
||Payment asset refunded|
||Payment asset refund failed|
Each event type has a specific payload format with the relevant event information. InPlayer Webhooks payload has 2 main parts, different by context: payload headers and payload data.
HTTP Post requests that are being sent to your Webhook URL will have several headers. Among the standard HTTP headers, you can find the custom InPlayer signature header. You will use a signature to validate the event as described in the Validating Events section.
||Inplayer signature hash. Using the signature you can validate the event request|
You can find all relevant info about the event inside the Payload data. In the data of all events you can find the following structure:
||Unique alpha-numeric string that is generated for each sent event.|
||Unix timestamp of the event|
||The actual event type|
||The Webhooks service version|
||Array of all information connected to the resource/operation that you receive for each event.|
Example event request
“description”: “Subscription for asset (1 month subscription)”,
Once you start receiving Webhooks you will need to be sure that the requests you receive are only sent from InPlayer. Some popular methods include restriction per domain or IP address from which you receive the requests, but at InPlayer we insist that you use the InPlayer signature to validate the event.
In order to use the signature for validation, first you will need to have generated an API secret. You can do this in the InPlayer dashboard, in the API section.
Once you have generated a secret, you can use it in your backend application to validate the complete event.
Once your secret code is set up, InPlayer uses it to generate a hash signature with each event. The hash signature is sent as a header with each request as X-InPlayer-Signature.
When you receive an event and you find the signature header, you should create a HASH using the same secret token and then compare your hash to the InPlayer signature header value. If both have the same values you can take that as a validation proof that the event is being sent from InPlayer.
Here is a PHP example of validating an event using the signature comparison method.
$entityBody = file_get_contents(‘php://input’);
function verifySignature($body, $token)
$sig = “sha256=” . hash_hmac(“sha256”, $body, $token);
return hash_equals($_SERVER[“HTTP_X_INPLAYER_SIGNATURE”], $sig);
You can implement the validation in any backend programming language. However, all implementations should have the following two things in common:
1. No matter which implementation you use, the hash signature starts with sha256=, using the key of your secret token and your payload body.
2. Using a plain == operator is not advised. A method like hash_equals performs a “constant time” string comparison, which renders it safe from certain timing attacks against regular equality operators.