Set up webhooks

Webhooks are notifications about events occurring in the system. When a specific event occurs, Xsolla sends an HTTP request, in which event data is transmitted, to your application. This is usually a POST request in JSON format.

Event examples:

  • user interaction with an item catalog
  • payment or cancellation of an order

List of webhooks

If you want to receive event notifications, implement webhook handling:

  • Payment — is sent when an order is paid and contains payment data and transaction details.
  • Successful payment of the order — is sent when a Payment webhook has been successfully processed and contains information about purchased items and the transaction ID.
  • Refund — is sent when an order is canceled and contains the canceled payment data and transaction details.
  • Order cancellation — is sent when a Refund webhook has been successfully processed and contains information about the purchased items and the ID of the canceled transaction.
  • User validation — is sent at different stages of the payment process to ensure the user is registered in the game. Contains information about the user who buys the game key.

If item catalog personalization is implemented on your application’s side, set up processing of Catalog personalization on the partner’s side.

If you are using an external ID (transaction ID on your system) and want to associate it with a transaction ID on Xsolla’s side or pass additional parameters when validating the user, implement the webhook Transaction’s ID linking.

Set up webhooks in Publisher Account

To enable receiving webhooks:

  1. Open your project in Publisher Account.
  2. Click Project settings in the side menu and go to the Webhooks tab.
  3. In the Webhook server field, specify the URL of your server where you want to receive webhooks in the https://example.com format. You can also specify the URL you find in a tool for testing webhooks.
  4. A secret key to sign project webhooks is generated by default. If you want to generate a new secret key, click the refresh icon.
  5. Click Enable webhooks.

Note
To test webhooks, you can select any dedicated website, such as webhook.site, or a platform, such as ngrok.
Notice
You can’t simultaneously send webhooks to different URLs. What you can do in Publisher Account is specify a URL for testing first, and then replace it with the real one.
To disable receiving webhooks:
  1. Open your project in Publisher Account.
  2. Click Project settings in the side menu and go to the Webhooks tab.
  3. Click Disable webhooks.

Test webhooks in Publisher Account

You can test the receiving of the following webhooks:

Webhook nameWebhook type
User validationuser_validation
Paymentpayment
Order cancellationorder_canceled
Successful payment of the orderorder_paid

If webhooks are set up successfully, a webhook testing block is displayed below the webhook setup block.

Webhook listener

Webhook listener is program code that allows receiving incoming webhooks at a specified URL address, generating a signature, and sending a response to the Xsolla webhook server.

Generation of signature

When receiving a webhook, you should ensure the security of data transmission. To achieve this, a signature must be generated from the webhook data and verified that it matches the signature sent in the HTTP request header.

To generate a signature:

  1. Concatenate the JSON from the request body and the project’s secret key.
  2. Apply the SHA-1 cryptographic hash function to the string obtained in the first step.

Sending responses to webhook

To confirm receipt of the webhook, your server must return:

  • 200, 201, or 204 HTTP code in case of a successful response.
  • 400 HTTP-code with description of the problem if the specified user was not found or an invalid signature was passed.

Your webhook handler may also return a 5xx code in case of temporary issues on your server.

If a response was not received for the Successful payment of the order and Order cancellation webhooks or if a response with a 5xx code was received, the webhooks are resent according to the following schedule:

  • 2 attempts with a 5-minute interval
  • 7 attempts with a 15-minute interval
  • 10 attempts with a 60-minute interval

Maximum of 20 attempts to send webhooks are made within 12 hours from the first attempt.

If for the Payment webhook a response was not received or if a response with a 5xx code was received, webhooks are also resent with an increased time interval. A maximum of 12 attempts are made within 12 hours.

If a response was not received for the User validation webhook or a response with a code of 400 or 5xx was received, the User validation webhook is not resent.

In this case, an error is shown to the user and the Payment and Successful payment of the order webhooks are not sent.

Note
The complete list and mechanism of webhooks, along with detailed examples of their processing, are described in the webhooks documentation.
Was this article helpful?
Thank you!
Is there anything we can improve? Message
We’re sorry to hear that
Please explain why this article wasn’t helpful to you. Message
Thank you for your feedback!
We’ll review your message and use it to help us improve your experience.
Rate this page
Rate this page
Is there anything we can improve?

Don’t want to answer

Thank you for your feedback!

Continue reading

Last updated: March 18, 2024

Found a typo or other text error? Select the text and press Ctrl+Enter.

Report a problem
We always review our content. Your feedback helps us improve it.
Provide an email so we can follow up
Thank you for your feedback!