Gigapay API
Search…
2.6.2
API Reference
Events
Postman collection
Authentication
Errors
Expanding objects
Pagination
Idempotency
Metadata
Webhooks
Resources
Employees
Payouts
Invoices
Webhooks
Pricing
Powered By GitBook
Webhooks
Gigapay uses Webhooks to let you know any time an event happens on your account. Webhooks are completely optional, however they allow you to receive real-time updates on events related to your Gigapay account. We notify on the following events:
    Employee.created
    Employee.notified
    Employee.verified
    Payout.created
    Payout.notified
    Payout.accepted
    Invoice.created
    Invoice.paid
The notifications simply contain the object that triggered the event, as represented in the API. For example, the notification for a Employee.verified event may look as following:
1
POST https://gigatron.se/webhooks/employees/ HTTP/1.1
2
Content-Type: application/json
3
Gigapay-Signature: t=1583327301,v1=ad583e2b2093c8d6fb3b65e04b99fc5988e98c0c312909acad334072da7e99ec
4
...
5
6
{"id": "25d2af38-59b9-4f73-9452-51787fed5c84", "name": "Karl \\u00C5hlsson", "cellphone_number": null, "email": [email protected], "metadata": {"user_id": 3}, "created_at": "2019-05-20T15:33:08.974624Z", "verified_at": "2019-05-21T09:13:48.625263Z"}
Copied!

Gigapay-Signature

The notification is signed used the secret_key set for the Webhook, the signature is included in the notification as a Gigapay-Signature header. This allows you to verify that the events were sent by Gigapay, and not by a third party. The signature consists of two parameters; t, the timestamp of when the notification was sent, v the signature of the current scheme. Currently, the only valid signature scheme is v1 which is the HMAC algorithm as described by RFC 2104 using SHA256 as disgestmod.
To verify signatures using the v1 scheme, extract the timestamp from theGigapay-Signature header, and the JSON-encoded notification from the request body. Join these strings with a period, ., as a separator. Compute an HMAC with the SHA256 hash function using the Webhook’s secret_key as the key. Lastly ensure that the signature in the header and the calculated signature matches. A psuedocode outline would be as follows:
1
secret_key = '...asId'
2
t, v1 = parse_signature(request.headers.Gigapay-Signature)
3
payload = t + '.' + request.body
4
5
hmac = hmac.new('sha256', secret_key.encode('utf-8'))
6
hmac.update(payload.encode('utf-8'))
7
signature = hmac.hexdigest()
8
9
signature == v1
Copied!
Note, if you are deserializing the JSON-encoded body you will need to reserialize it back to a string before computing the hash. When doing so take care to ensure that the resulting string has the same format as the original one. Some gotchas are:
    White space after , and :.
    Unicode-encoded characters.
    The timestamps are UTC, ISO 8601.
Previous
Metadata
Next - Resources
Employees
Last modified 3mo ago
Copy link