Webhooks are notifications about events occurring in the system. When a specific event occurs, Xsolla sends an HTTP request, in which event data is transmitted, to your application. This is usually a POST request in JSON format.
Event examples:
When a set event happens, Xsolla notifies your system about it via a webhook. As a result, you can perform actions such as:
Example of a payment processing webhook workflow:
Video guide for Xsolla webhooks integration:
Webhooks settings when working with Xsolla products and solutions:
Product/ Solution | Required/ Optional | What are webhooks used for |
---|---|---|
Payments | Required |
|
In-Game Store | Required |
|
Buy Button | Optional | For selling game keys, user validation and crediting of items are not required. You can connect webhooks if you want to receive information about events, such as payment or order cancellation. If you connect webhooks, it is important to process all incoming required webhooks. |
Subscriptions | Optional | To receive information about creation, update, or cancellation of a subscription. Alternatively, you can request information via the API. |
Web Shop | Optional | For user authentication, if you use authentication via user ID. Alternatively, you can use user authentication via Xsolla Login. |
Digital Distribution Hub | Optional |
You can learn more in the instruction for setting up webhooks for Digital Distribution Hub. |
If you use products and solutions that require webhooks, enable and test the webhooks in your Publisher Account and set up their processing. When specific events occur, webhooks are sent sequentially. Therefore, if you do not process one of the webhooks, subsequent webhooks will not be sent. The list of required webhooks is presented below.
To fully operate an in-game store, it is necessary to implement the processing of the main webhooks:
user_validation
) — is sent at different stages of the payment process to ensure the user is registered in the game.payment
) — is sent when an order is paid and contains payment data and transaction details.order_paid
) — is sent when a Payment webhook has been successfully processed and contains information about purchased items and the transaction ID. Use the data from the webhook to add items to the user.refund
) — is sent when an order is canceled and contains the canceled payment data and transaction details.order_canceled
) — is sent when a Refund webhook has been successfully processed and contains information about the purchased items and the ID of the canceled transaction. Use the data from the webhook to remove the purchased items.If item catalog personalization is implemented on your application’s side, set up processing of Catalog personalization on the partner’s side webhook.
Note
To receive real payments, you only need to implement processing of the Payment, Successful payment of the order, and User validation webhooks, as well as sign the licensing agreement.
To automatically manage subscription plans, it is necessary to implement processing of the main webhooks:
user_validation
) — is sent at different stages of the payment process to ensure the user is registered in the game.payment
) — is sent when an order is paid and contains payment data and transaction details.create_subscription
) — is sent when a Payment webhook has been successfully processed or the user has purchased a subscription with a trial period. It contains the details of the purchased subscription and user data. Use the webhook data to add a subscription to the user.update_subscription
) — is sent when a subscription is renewed or changed, when a Payment webhook has been successfully processed. It contains the details of the purchased subscription and user data. Use the webhook data to extend the user's subscription or change the subscription parameters.refund
) — is sent when an order is canceled and contains the canceled payment data and transaction details.cancel_subscription
) — is sent when a Refund webhook has been successfully processed or the subscription was canceled for another reason. It contains information about the subscription and user data. Use the webhook data to deduct purchased subscriptions from the user.To enable receiving webhooks:
https://example.com
format. You can also specify the URL you find in a tool for testing webhooks.Notice
To transfer data, HTTPS protocol is required; use of HTTP protocol is not supported.
Note
To test webhooks, you can select any dedicated website, such as webhook.site, or a platform, such as ngrok.
Notice
You can’t simultaneously send webhooks to different URLs. What you can do in Publisher Account is specify a URL for testing first, and then replace it with the real one.
To disable receiving webhooks:
Testing webhooks helps to ensure the correct setup of the project both on your side and on Xsolla side.
You can test the receiving of the following webhooks:
Webhook name | Webhook type |
---|---|
User validation | user_validation |
Payment | payment |
Order cancellation | order_canceled |
Successful payment of the order | order_paid |
If webhooks are set up successfully, a webhooks testing section is displayed below the webhooks setup section.
Note
If a warning that the test has not passed appears in the testing section, check the webhook response settings in your webhook listener. The reasons for the errors in testing are indicated in the test results.
Example:
You use the specialized site webhook.site for testing.
An error is displayed in the Testing response to invalid signature section.
This happens because Xsolla sends a webhook with an incorrect signature and expects your handler to respond with a 4xx
HTTP code specifying the INVALID_SIGNATURE
error code.
webhook.site sends a 200
HTTP code in response to all webhooks, including a webhook with an incorrect signature. The expected 4xx
HTTP code cannot be obtained, so an error is displayed in the test result.
In the Store tab, you can test the following webhooks:
order_paid
)order_canceled
)To test:
Successful payment of the order and Order cancellation webhooks with the specified data are sent to the provided URL. The results of testing each webhook type are displayed below the Test webhooks button.
In the Payments tab, you can test the following webhooks:
user_validation
)payment
)To test:
In the specified URL, you will receive webhooks with filled in data. Testing results of each webhook, for both a successful scenario and a scenario with an error, are displayed under the Test webhooks button. If public user ID is enabled in your project, you will also see the results of a user search check.
For each webhook, you need to configure processing both scenarios: a successful one and the one with an error.
When you save the URL in the Webhook server field, you can see the Advanced settings section where you can give permissions to receive detailed information in webhooks. To do that, set the respective toggles to On. In the line of each permission, you can see the list of webhooks affected by the settings.
Toggle | Description |
---|---|
Show info about the saved payment account | Information about the saved payment method is passed in the payment_account custom object. |
Show info about transactions via saved payment methods | Information is passed in the following custom parameters of the webhook:
|
Add order object to webhook | Information about the order is passed in the order object of the Payment webhook. |
Send only necessary user parameters without sensitive data | Only the following information about the user is passed in the webhook:
|
Send custom parameters | Information about custom token parameters is passed in the webhook. |
Show card BIN and suffix | The following information about the bank card number is passed in the webhook:
|
Show card brand | The brand of the card used for making the payment. For example, Mastercard or Visa. |
In the Subscriptions tab, you can test the following webhooks:
user_validation
)payment
)Note
In Publisher Account, you can only test basic User Validation and Payment webhooks. To test other webhook types, go to:
Note
To test webhooks, you should have at least one subscription plan created in the Publisher Account > Subscriptions > Subscription Plans section.
To test:
0
.In the specified URL, you will receive webhooks with filled in data. Testing results of each webhook, for both a successful scenario and a scenario with an error, are displayed under the Test webhooks button.
Webhook listener is program code that allows receiving incoming webhooks at a specified URL address, generating a signature, and sending a response to the Xsolla webhook server.
Note
You can use the Pay Station PHP SDK library, which contains ready-made classes for processing webhooks.
On the your application side, implement the reception of webhooks from the following IP addresses:
185.30.20.0/24
, 185.30.21.0/24
, 185.30.23.0/24
, 34.102.38.178
, 34.94.43.207
, 35.236.73.234
, 34.94.69.44
, 34.102.22.197
.
Limitations:
When receiving a webhook, you should ensure the security of data transmission. To achieve this, a signature must be generated from the webhook data and verified that it matches the signature sent in the HTTP request header. To generate a signature:
POST /your_uri HTTP/1.1
Host: your.host
Accept: application/json
Content-Type: application/json
Content-Length: 165
Authorization: Signature 52eac2713985e212351610d008e7e14fae46f902
{
"notification_type":"user_validation",
"user":{
"ip":"127.0.0.1",
"phone":"18777976552",
"email":"email@example.com",
"id":1234567,
"name":"Xsolla User",
"country":"US"
}
}
curl -v 'https://your.hostname/your/uri' \
-X POST \
-H 'Authorization: Signature 52eac2713985e212351610d008e7e14fae46f902' \
-d '{
"notification_type":
"user_validation",
"user":
{
"ip": "127.0.0.1",
"phone": "18777976552",
"email": "email@example.com",
"id": 1234567,
"name": "Xsolla User",
"country": "US"
}
}'
To confirm receipt of the webhook, your server must return:
200
, 201
, or 204
HTTP code in case of a successful response.400
HTTP code with description of the problem if the specified user was not found or an invalid signature was passed.
Your webhook handler may also return a 5xx
HTTP code in case of temporary issues on your server.If a response was not received for the Successful payment of the order and Order cancellation webhooks or if a response with a 5xx
code was received, the webhooks are resent according to the following schedule:
Maximum of 20 attempts to send webhooks are made within 12 hours from the first attempt.
If for either the Payment webhook or the Refund webhook a response was not received or if a response with a 5xx
code was received, webhooks are also resent with an increased time interval. A maximum of 12 attempts are made within 12 hours.
Notice
If the payment refund was initiated by Xsolla and a response with a `5xx` HTTP code came in response to the Refund webhook, the payment will still be refunded.
If a response was not received for the User validation webhook or a response with a code of 400
or 5xx
was received, the User validation webhook is not resent.
In this case, an error is shown to the user and the Payment and Successful payment of the order webhooks are not sent.
Error codes for HTTP code 400:
Code | Message |
---|---|
INVALID_USER | Invalid user |
INVALID_PARAMETER | Invalid parameter |
INVALID_SIGNATURE | Invalid signature |
INCORRECT_AMOUNT | Incorrect amount |
INCORRECT_INVOICE | Incorrect invoice |
HTTP/1.1 400 Bad Request
{
"error":{
"code":"INVALID_USER",
"message":"Invalid user"
}
}
Note
The notification type is sent in the notification_type
parameter.
Webhook | Notification type | Description |
---|---|---|
User validation | user_validation |
Sent to check if a user exists in the game. |
User search | user_search |
Sent to get user info based on public user ID. |
Payment | payment |
Sent when a user completes a payment. |
Refund | refund |
Sent when a payment must be canceled for any reason. |
Partial refund | partial_refund |
Sent when a payment must be partially canceled for any reason. |
AFS rejected transaction | afs_reject |
Sent when a transaction is declined during an AFS check. |
AFS updated blocklist | afs_black_list |
Sent when the AFS blocklist is updated. |
Created subscription | create_subscription |
Sent when a user creates a subscription. |
Updated subscription | update_subscription |
Sent when a subscription is renewed or changed. |
Canceled subscription | cancel_subscription |
Sent when a subscription is canceled. |
Nonrenewing subscription | non_renewal_subscription |
Sent when status is set to nonrenewing. |
Add payment account | payment_account_add |
Sent when a user adds or saves a payment account. |
Remove payment account | payment_account_remove |
Sent when a user removes the payment account from saved accounts. |
User validation in Web Shop | - |
Sent from a Web Shop site to check if a user exists in the game. |
Catalog personalization on partner’s side | partner_side_catalog |
Sent when a user interacts with the store. |
Successful payment of the order | order_paid |
Sent when an order is paid. |
Order cancellation | order_canceled |
Sent when an order is canceled. |
Dispute | dispute |
Sent when a new dispute is opened. |