Webhooks

Gigapay uses Webhooks to let you know any time an event happens on your account. Webhooks are completely optional, however they allow you to receive real-time updates on events related to your Gigapay account. We notify on the following events:

  • Employee.created

  • Employee.notified

  • Employee.verified

  • Payout.created

  • Payout.notified

  • Payout.accepted

  • Invoice.created

  • Invoice.paid

The notifications simply contain the object that triggered the event, as represented in the API. For example, the notification for a Employee.verified event may look as following:

POST https://gigatron.se/webhooks/employees/ HTTP/1.1
Content-Type: application/json
Gigapay-Signature: t=1583327301,v1=ad583e2b2093c8d6fb3b65e04b99fc5988e98c0c312909acad334072da7e99ec
...
{
"id": "25d2af38-59b9-4f73-9452-51787fed5c84",
"name": "Karl Karlsson",
"cellphone_number": null,
"email": karl.karlsson@gmail.com,
"metadata": {
"user_id": 3,
}
"created_at": "2019-05-20T15:33:08.974624Z",
"verified_at": "2019-05-21T09:13:48.625263",
}

Gigapay-Signature

The notification is signed used the secret_key set for the Webhook, the signature is included in the notification as a Gigapay-Signature header. This allows you to verify that the events were sent by Gigapay, not by a third party. The signature consists of two parameters; t, the timestamp of when the notification was sent, v the signature of the current scheme. Currently, the only valid signature scheme is v1 which is the HMAC algorithm as described by RFC 2104 using SHA256 as disgestmod.

To verify signatures using the v1 scheme, extract the timestamp from theGigapay-Signature header, and the JSON-encoded notification from the request body. Join these strings with a period, ., as a separator. Compute an HMAC with the SHA256 hash function using the Webhook’s secret_key as the key. Lastly ensure that the signature in the header and the calculated signature matches.