Skip to main content

webhook events

as the name suggests, order events are sent whenever an order has changed state and you have subscribed to a notification. these events are usually related to the different payment states of the instalments or the completion of the whole order. before you using the webhook, make sure you have created your signature secret at our partner-portal

security

all events are signed using a hmac-sha256 signature. the signature is created using HMAC-SHA256.

X-DIVIT-SIGNATURE:t=[EVENT_TIMESTAMP],s1=[SIGNATURE]
  • EVENT_TIMESTAMP is a unix timestamp from when the event was sent. This timestamp is also embedded in the signature to top replay attacks.
  • SIGNATURE The HMAC-SHA256 hashed timestamp+body

validate signature

to validate the signature, we need to be able to create the same hash as in the header signature. you can achive that using three pieces of information

  • EVENT_TIMESTAMP
  • SIGNATURE
  • EVENT_BODY
  • Shared secret key (Which you get from your divit representative)

extract EVENT_TIMESTAMP and SIGNATURE

split the header content by the , and again by =. This will give you EVENT_TIMESTAMP and SIGNATURE


event list

order activated - ID:2001

this event is triggered when a user successfully 'activates' an order. this means that the user has been accepted by divit. When this event is received, then you can confirm with the user that payment is complete and they can receive their product.

sample event
{
"event": {
"eventId": 2001,
"eventDescription": "Order has been activated by the customer"
},
"eventData": {
"orderID": "7f32674f-6f8a-407d-934c-768d84472a76",
"customerID": "",
"totalAmount": {
"amount": 400253,
"currency": "HKD"
},
"partnerRef": "INTERNAL-REF-12121"
}
}