webhook events
as the name suggests, order events are sent whenever an order has changed state and you have subscribed to a notification. these events are usually related to the different payment states of the order. before you using the webhook, make sure you have created your signature secret at our partner-portal
security​
all events are signed using a hmac-sha256 signature. the signature is created using HMAC-SHA256.
X-DIVIT-SIGNATURE:t=[EVENT_TIMESTAMP],s1=[SIGNATURE]
EVENT_TIMESTAMP
is a unix timestamp from when the event was sent. This timestamp is also embedded in the signature to top replay attacks.SIGNATURE
The HMAC-SHA256 hashed timestamp+body
validate signature​
to validate the signature, we need to be able to create the same hash as in the header signature. you can achive that using three pieces of information
- EVENT_TIMESTAMP
- SIGNATURE
- EVENT_BODY
- Shared secret key (Which you get from your divit representative)
- step 1
- step 2
- step 3
extract EVENT_TIMESTAMP
and SIGNATURE
​
split the header content by the ,
and again by =
. This will give you EVENT_TIMESTAMP
and SIGNATURE
step 2 - recreate signature content​
the signature content has the format of EVENT_TIMESTAMP.EVENT_BODY
where EVENT_BODY
is the JSON that was sent from divit webhook.
split the header content by the ,
and again by =
. This will give you EVENT_TIMESTAMP
and SIGNATURE
event list​
order activated - ID:2001​
this event is triggered when a user successfully 'activates' an order. this means that the user has been accepted by divit. When this event is received, then you can confirm with the user that payment is complete and they can receive their product.
{
"event": {
"eventId": 2001,
"eventDescription": "Order has been activated by the customer"
},
"eventData": {
"orderID": "7f32674f-6f8a-407d-934c-768d84472a76",
"customerID": "",
"totalAmount": {
"amount": 400253,
"currency": "HKD"
},
"partnerRef": "INTERNAL-REF-12121"
}
}