Webhooks
When an order status changes, our system sends a POST request to your callback URL.
How It Works
- Pass
callback_urlwhen creating an order - When the order completes or fails, we POST to your URL
- Verify the signature to ensure it came from us
Create Order with Callback
POST /api/v1/orders/create_order
Request Body:
{
"product_code": "mlbb_100_diamonds",
"game_user_id": "123456",
"callback_url": "https://your-server.com/webhook"
}
Webhook Payload
{
"event": "order.completed",
"timestamp": "2026-06-26T12:00:00Z",
"data": {
"transaction_id": "TX-20260626-1234",
"product_code": "mlbb_100_diamonds",
"product_name": "100 Diamonds",
"game_code": "mlbb",
"game_user_id": "123456",
"sell_price": 1.50,
"status": "success"
}
}
Events
| Event | Description |
|---|---|
order.completed | Order successfully processed |
order.failed | Order failed |
Security Verification
Every webhook includes an X-Signature header:
X-Signature: sha256=<hash>
Hash formula:
signature = hmac_sha256(json_payload, api_key)
Node.js
const crypto = require('crypto');
function verifyWebhook(req, apiKey) {
const signature = req.headers['x-signature'];
const payload = JSON.stringify(req.body);
const expected = 'sha256=' + crypto
.createHmac('sha256', apiKey)
.update(payload)
.digest('hex');
return signature === expected;
}
app.post('/webhook', (req, res) => {
if (!verifyWebhook(req, API_KEY)) {
return res.status(401).json({ error: 'Invalid signature' });
}
console.log(req.body.event);
res.json({ received: true });
});
Python
import hmac
import hashlib
def verify_webhook(payload, signature, api_key):
expected = 'sha256=' + hmac.new(
api_key.encode(),
payload.encode(),
hashlib.sha256
).hexdigest()
return signature == expected
@app.route('/webhook', methods=['POST'])
def webhook():
sig = request.headers.get('X-Signature')
if not verify_webhook(request.data.decode(), sig, API_KEY):
return jsonify({'error': 'Invalid signature'}), 401
print(request.json['event'])
return jsonify({'received': True})
PHP
<?php
function verifyWebhook($payload, $signature, $apiKey) {
$expected = 'sha256=' . hash_hmac('sha256', $payload, $apiKey);
return hash_equals($expected, $signature);
}
$payload = file_get_contents('php://input');
$sig = $_SERVER['HTTP_X_SIGNATURE'];
if (!verifyWebhook($payload, $sig, $API_KEY)) {
http_response_code(401);
echo json_encode(['error' => 'Invalid signature']);
exit;
}
$data = json_decode($payload, true);
echo $data['event'];