Set up webhooks

Webhooks are notifications about events occurring in the system. When a specific event occurs, Xsolla sends an HTTP request, in which event data is transmitted, to your application. This is usually a POST request in JSON format.

Event examples:

• user interaction with an item catalog
• payment or cancellation of an order

List of webhooks

To fully operate an in-game store, it is necessary to implement the processing of the main webhooks:

• Payment — is sent when an order is paid and contains payment data and transaction details.
• Successful payment of the order — is sent when a Payment webhook has been successfully processed and contains information about purchased items and the transaction ID. Use the data from the webhook to add items to the user.
• Refund — is sent when an order is canceled and contains the canceled payment data and transaction details.
• Order cancellation — is sent when a Refund webhook has been successfully processed and contains information about the purchased items and the ID of the canceled transaction. Use the data from the webhook to remove the purchased items.

• User validation — is sent at different stages of the payment process to ensure the user is registered in the game.

If item catalog personalization is implemented on your application’s side, set up processing of Catalog personalization on the partner’s side.

You can test the receiving of the following webhooks:

Set up webhooks in Publisher Account

To enable receiving webhooks:

1. Open your project in Publisher Account.
2. Click Project settings in the side menu and go to the Webhooks tab.
3. In the Webhook server field, specify the URL of your server where you want to receive webhooks in the https://example.com format. You can also specify the URL you find in a tool for testing webhooks.
4. A secret key to sign project webhooks is generated by default. If you want to generate a new secret key, click the refresh icon.
5. Click Enable webhooks.

1. Open your project in Publisher Account.
2. Click Project settings in the side menu and go to the Webhooks tab.
3. Click Disable webhooks.

Test webhooks in Publisher Account

You can test the receiving of the following webhooks:

If webhooks are set up successfully, a webhook testing block is displayed below the webhook setup block.

• Store
• Payments

In the Store tab, you can test the following webhooks:

• Successful payment of the order (order_paid)
• Order cancellation (order_canceled)

To test:

1. In the webhook testing block, navigate to the Store tab.
2. In the drop-down menu, select the type of item. If the item of selected type is not set up in Publisher Account, click:
   • Connect – if the module with items of this type is not connected
   • Configure – if you connected the module previously, but have not completed the setup

1. When you click the button, you will be redirected to the section of Publisher Account corresponding to the type of the selected item. After creating the item, return to the webhook testing section and proceed to the next step.

3. Enter any value in the Xsolla Order ID field.
4. Select the items’ SKU from the drop-down list and indicate the amount. You can choose multiple items of the same type by clicking + and adding them in a new line.
5. Choose the currency in which the order will be paid.
6. Click Test.

Successful payment of the order and Order cancellation webhooks with the specified data are sent to the provided URL. The results of testing each webhook type are displayed below the Test buttons.

Note

If an error message appears in the testing block stating that the test has not passed, check the webhook response settings in your webhook listener. Information about these errors are available in the test results.

In the Payments tab, you can test the following webhooks:

• User validation (user_validation)
• Payment (payment)

To test:

1. In the testing section, go to the Payments tab.
2. Fill in the necessary fields:
   • User ID — when testing, you can use any combination of letters and digits.
   • Public user ID — ID known to a user, e.g., an email or a nickname. This field is displayed if public user ID is enabled in your project in the Pay Station > Settings > Additional settings section.
   • Currency — select a currency from the drop-down list.
   • Xsolla Invoice ID — transaction ID on Xsolla side. When testing, you can use any numeric value.
   • Amount — payment amount. When testing, you can use any numeric value.
   • Invoice ID — transaction ID on your game’s side. When testing, you can use any combination of letters and digits. It is not a required parameter for a successful payment, but you can pass it to link the transaction ID on your side to the transaction ID on Xsolla side.
3. Click Test webhooks.

In the specified URL, you will receive webhooks with filled in data. Testing results of each webhook, for both a successful scenario and a scenario with an error, are displayed under the Test webhooks button. If public user ID is enabled in your project, you will also see the results of a user search check.

For each webhook, you need to configure processing both scenarios: a successful one and the one with an error.

When you save the URL in the Webhook server field, you can see the Advanced settings section where you can give permissions to receive detailed information in webhooks. To do that, set the respective toggles to On. In the line of each permission, you can see the list of webhooks affected by the settings.

Webhook listener

Webhook listener is program code that allows receiving incoming webhooks at a specified URL address, generating a signature, and sending a response to the Xsolla webhook server.

Generation of signature

When receiving a webhook, you should ensure the security of data transmission. To achieve this, a signature must be generated from the webhook data and verified that it matches the signature sent in the HTTP request header.

To generate a signature:

1. Concatenate the JSON from the request body and the project’s secret key.
2. Apply the SHA-1 cryptographic hash function to the string obtained in the first step.

Sending responses to webhook

To confirm receipt of the webhook, your server must return:

• 200, 201, or 204 HTTP code in case of a successful response.
• 400 HTTP-code with description of the problem if the specified user was not found or an invalid signature was passed.

Your webhook handler may also return a 5xx code in case of temporary issues on your server.

If a response was not received for the Successful payment of the order and Order cancellation webhooks or if a response with a 5xx code was received, the webhooks are resent according to the following schedule:

• 2 attempts with a 5-minute interval
• 7 attempts with a 15-minute interval
• 10 attempts with a 60-minute interval

Maximum of 20 attempts to send webhooks are made within 12 hours from the first attempt.

If for the Payment webhook a response was not received or if a response with a 5xx code was received, webhooks are also resent with an increased time interval. A maximum of 12 attempts are made within 12 hours.

If a response was not received for the User validation webhook or a response with a code of 400 or 5xx was received, the User validation webhook is not resent.

In this case, an error is shown to the user and the Payment and Successful payment of the order webhooks are not sent.