Callback request contents are as follow
{
"id": "c743f375-0b2e-44a8-9362-6cbc75500725",
"network": "tron",
"amount": 689,
"fees": 1,
"txid": "efce6f29aa115a951adce6340d404e4dce0b4de2137836cd890af85bd37ce51c",
"timestamp": 1716492678000,
"from": "TFNLDAmrUgqjyCQdxtgsoNFukUooiZBp9w",
"to": "TZHF6a17t1wWYBvzunaatrq1WbdR9sixaj",
"wallet_label": "user #1014 wallet",
"wallet_id": "14c4b88b-5a3f-42ec-89c8-73b0c947bc7d",
"status": "pending",
"is_dust": false
}
| Key | Type | Description |
|---|---|---|
| id | uuid | transaction id |
| network | string | network code |
| amount | double | total amount recieved |
| fees | double | deposit fees |
| txid | string | blockchain txid |
| timestamp | integer | blockchain timestamp |
| from | string | sender address |
| to | string | receiver address |
| wallet_label | string|null | wallet label |
| wallet_id | uuid | wallet id |
| status | string | pending: the system waits for the network confirmations. success: it's credited to your balance, and it's spendable. |
| is_dust | boolean | true, the recieved amount will not be credited to your balance and the fee is always 0. false, the recieved amount will be credited to your balance even if it's below dust threshold since there's already dust balance in that wallet. |
Verify webhook request
Once your server is configured to receive webhooks, it will listen for any delivery that's sent to the callback endpoint you configured. To ensure that your server only processes webhook deliveries that were sent by SingleWallet and to ensure that the delivery was not tampered with, you should validate the webhook signature before processing the delivery further. This will help you avoid spending server time to process deliveries that are not from SingleWallet and will help avoid man-in-the-middle attacks.
SingleWallet will use your secret token to create a hash signature that's sent to you with each payload. The hash signature will appear in each delivery as the value of the sw-signature header.
In your code that handles webhook deliveries, you should calculate a hash using your secret key. Then, compare the hash that SingleWallet sent with the expected hash that you calculated, and ensure that they match.
There are a few important things to keep in mind when validating webhook payloads:
- SingleWallet uses an HMAC hex digest to compute the hash.
- The hash signature is generated using your webhook's secret key and the payload contents.
- If your language and server implementation specifies a character encoding, ensure that you handle the payload as UTF-8. Webhook payloads can contain unicode characters.
Code Example
function checkSignature(string $payload, string $secretKey) : string {
return hash_hmac('sha256', $payload, $secretKey);
}
let crypto = require('crypto');
function checkSignature(payload, secretKey){
return crypto.createHmac('sha256', secretKey).update(payload).digest('hex')
}
Testing payload validation
You can use the following secret key and payload values to verify that your implementation is correct:
- secret key : "this is the webhook payload"
- payload : "shh! it's a secret"
If your implementation is correct, the signatures that you generate should match the following signature value
09ff61c205f4200766914b65480d51ff10dc9cd1b7525f19ae23d091dcb2db93