Server-Side Integration

Setting up server-side integration to listen for webhooks and process successful checkouts.

Once all of the participants of a Social Checkout complete payment, a POST request webhook is sent to all of the active webhooks associated with a store with the following body:

Webhook Body
{
participants: {
name: string;
email: string;
phoneNumber: string;
completedAt: number; // epoch in milliseconds
}[];
checkoutId: string;
productId: string;
schemeId: string;
finalPrice: number;
savedAmount: number;
savedPercent: number;
}

If the response contains a non-200 status code, the webhook will retry up to 10 times. If a webhook is disabled after the retry flow has started, it will continue to retry as if it had received a non-200 response. So, if you disable a webhook and then re-enable within the window, future webhooks will still be sent.

Retry Delays

Attempt

Delay

1

1 minute

2

2 minutes

3

5 minutes

4

10 minutes

5

30 minutes

6

1 hour

7

2 hours

8

5 hours

9

1 day

10

3 days

HMAC Header

The webhook request contains an SHA-256 HMAC header via the x-sc-hmac field, which is generated by signing a JSON-stringified version of the body with the webhook secret key. You can find the secret key on the integrations page. You should always verify that the HMAC is correct before attempting to process the contents of the body.

Examples

Node.js
Node.js
const express = require('express');
const cryptoJS = require('crypto-js');
const secret = 'secret';
const app = express();
app.post('webhook', (req, res) => {
const bodyStringified = JSON.stringify(req.body);
const expectedHMAC = req.headers['x-sc-hmac'];
const actualHMAC = cryptoJS
.HmacSHA256(bodyStringified, secret)
.toString();
if (expectedHMAC !== actualHMAC) {
throw new Error('Invalid HMAC');
}
// Process the checkout, activate licenses, send emails, etc
});
app.listen(3000, () => {
console.log('Listening on port 3000');
});