API Reference
Transactions
API Reference
Webhooks are an important part of your payment integration. They allow Giftcard Whitelabel notify you about events that happen on your account, such as a charge or payment transaction. A webhook URL is an endpoint on your server where you can receive notifications about such events. When an event occurs, we'll make a POST request to that endpoint, with a JSON body containing the details about the event, including the type of event and the data associated with it.
Here's how to set up a webhook on your Giftcard Whitelabel account:
When enabling webhooks, you have to set a webhook secret. Since webhook URLs are publicly accessible, the webhook secret allows you to verify that incoming requests are from Giftcard Whitelabel. You can specify any value as your secret hash, but we recommend something random. You should also store it as an environment variable on your server. You must specify a webhook secret, as we'll include it in our request to your webhook URL, in a header called Signature. In the webhook endpoint, check if the Signature header is present and that it matches the secret hash you set. If the header is missing, or the value doesn't match, you can discard the request, as it isn't from Giftcard Whitelabel.
To acknowledge receipt of a webhook, your endpoint must return a 200 HTTP status code. Any other response codes, including 3xx codes, will be treated as a failure. We don't care about the response body or headers
Some web frameworks like Rails or Django, automatically check that every POST request contains a CSRF token. This is a useful security feature that protects you and your users from cross-site request forgery.
Here are a few examples of implementing a webhook endpoint in php
// In a Laravel-like app:
Route::post('webhook', function (\Illuminate\Http\Request $request) {
//check for the signature
$secret = '12345';
$signature = $request->header('webhook-secret');
$sign_secret = hash_hmac('sha256', json_encode($request->all()), $secret);
if (!$signature || ($signature !== $sign_secret)) {
// This request isn't from Giftcard Whitelabel; discard
abort(401);
}
$payload = $request->all();
// It's a good idea to log all received events.
Log::info($payload);
// Do something (that doesn't take too long) with the payload
return response(200);
});
In a case where Giftcard Whitelabel was unable to reach the URL, all the webhooks will be retried. Webhook URLs must respond with a status 200 OK or the request will be considered unsuccessful and retried.
The JSON payload below is a sample response of a webhook event that gets sent to your webhook URL. You should know that all webhook events across Giftcard Whitelabel, payout, funding, payouts all follow the same payload format as shown below.
| Fields | Descriptions |
|---|---|
| event | The name or type of webhook event that gets sent eg; charge. |
| data | The payload of the webhook event object that gets sent. |
{
"event": "transaction.pending",
"data": {
"id": "d7f97128-98f8-4dbc-940a-8f0be0b3eb1b",
"amount": "1196.68",
"charge": "0.00",
"status": "pending",
"mode": "test",
"card_url": null,
"card_id": null,
"card": "PlayStation Gift Card ₦15,000.00"
}
}
{
"event": "transaction.success",
"data": {
"id": "6a5c9d34-0392-40a4-b64e-03792b31007b",
"amount": "996.68",
"charge": "0.00",
"status": "success",
"mode": "test",
"card_url": "https://whitelabel.markets/demos/giftcard/giftcard-pin/15e8c77a-fb78-43a9-ae57-74fa1cd75a86",
"card": "Mockup Card ₦15,000.00"
}
}
{
"event": "transaction.declined",
"data": {
"id": "d7f97128-98f8-4dbc-940a-8f0be0b3eb1b",
"amount": "1196.68",
"charge": "0.00",
"status": "declined",
"mode": "test",
"card_url": null,
"card_id": null,
"card": "PlayStation Gift Card ₦15,000.00"
}
}
Have a backup strategy in place, in case your webhook endpoint fails. For instance, if your webhook endpoint is throwing server errors, you won't know about any new customer payments because webhook requests will fail.
Your webhook endpoint needs to respond within a certain time limit, or we'll consider it a failure and try again. Avoid doing long-running tasks or network calls in your webhook endpoint so you don't hit the timeout. If your framework supports it, you can have your webhook endpoint immediately return a 200 status code, and then perform the rest of its duties; otherwise, you should dispatch any long-running tasks to a job queue, and then respond.