Webhooks v. 1 Overview
Webhooks are used to notify your system when certain Friendbuy events happen. You can use webhooks to record information about sharing and referrals, or perform actions in your own systems when these events happen. A common use-case is tracking sharing and conversion information in a CRM.
You may configure your Friendbuy account to use webhooks with these steps:
- Log in to Friendbuy
- Go to Settings
- Go to the Webhooks tab
- Enter the URL for the webhook
A note on security: Friendbuy requires SSL on all webhook URLs. To put it simply, the URLs you provide have to start with
https, and your server needs to have a valid certificate. Optionally, you can provide HTTP basic authentication credentials and we will use them with webhook calls.
After a successful conversion Friendbuy will POST the following properties to the provided URL.
After a successful share Friendbuy will POST the following properties to the provided URL.
Verifying Requests are coming from Friendbuy
If you want to verify the authenticity of a webhook request from Friendbuy, you can verify the request’s cryptographic signature. When Friendbuy makes a call to your webhook, a header or querystring parameter is provided with the computed signature. You can follow the steps below to compute your own signature and compare it with ours.
- Take the full URL of the webhook URL including the querystring.
- If the request is a POST, sort all of the POST parameters alphabetically (using Unix-style case-sensitive sorting order).
- Iterate through the sorted list of POST parameters, and append the variable name and value (with no delimiters) to the end of the URL string.
- Sign the resulting string with HMAC-SHA1 using your API Secret as the key.
- Base64 encode the resulting hash value.
- Compare your hash to the one in the X-Friendbuy-Signature header. If the signatures match, the request is valid.
If webhooks are enabled for your account level, you can find your API Secret on the Webhooks tab in Friendbuy settings.
Here is Python code that generates a webhook signature you can compare to the signature provided in the X-Friendbuy-Signature in order to verify the authenticity of the request:
To whitelist the Friendbuy webhooks, use the following IP addresses: