Webhooks

Some actions like a successful payment can trigger a webhook. In order to set up a webhook, you need to create an endpoint that will receive the POST webhook request. You can pass the webhook URL to the Fanpoints SDK when you perform an action that will trigger the webhook.

Validating the webhook request

When you receive a webhook request, you need to validate the request to ensure that it is coming from the FanPoints platform.

Each request to the webhook endpoint is signed using the webhook secret. You can obtain the secret in the FanPoints dashboard (Marketing Partner > Integrationen > Webhooks). Use the secret to compute the 64-bit encoded HMAC digest of the request body using the SHA-256 algorithm. Compare the computed digest with the one in the x-fanpoints-hmac-sha256 header:

import { createHmac } from 'crypto';

const WEBHOOK_SECRET = '<the webhook secret>';

// your handler of the POST webhook request
function webhookEndpoint(body, headers) {
    const headerSignature = headers['x-fanpoints-hmac-sha256'];

    const hmacDigest = createHmac('sha256', WEBHOOK_SECRET).update(body).digest('base64');

    if (hmacDigest !== headerSignature) {
        return {
            statusCode: 401,
            body: 'Invalid signature',
        };
    }

    // Do something with the webhook request

    return {
        statusCode: 200,
    };
}

Return a status code 200 if the request is valid.

Debugging webhooks

If you are having trouble with webhooks, you can use the FanPoints dashboard to see the most recent webhook requests and the failure reasons.