Introducing Instamojo Webhooks

(Last Updated On: March 2, 2021)
One of our primary goals has been to bring simplicity to online selling. While at it, there’s a part which involves us hiding the complexities while giving a simple set of features which helps you maximize sales.
On the same chord, today we are excited to introduce Instamojo Webhooks.
 

Webhooks FAQ

Q. What are Webhooks?

Webhooks are real time notifications that alert you whenever an automated event like successful transaction occurs in our system.
In technical terms, after every successful transaction, Instamojo can optionally issue a server-side call to your server. This server-side call is implemented as a standard POST request. We include some data about the payment in this call as the POST request payload.

 Q. How is it different from Redirection?

In ‘custom redirect‘ you can simply redirect the buyer to any website/URL that you wish, with only the transaction_id passed as GET variable. This URL can be specified while adding or editing the offer (under the “advanced settings” section).

Using ‘webhook’, you can issue a call to your server with a list of key variables with all transaction details. The data is sent as POST variables.

The Webhook and Custom URLs can be different and you can use both the features independently.

For custom redirect, only a URL has to be specified in offer details, while webhook feature needs some integration for the seller after specifying the Webhook URL (screenshot below).

 

So with Webhook, Instamojo now elegantly offers the functionality of sending information to your server after every successful purchase.

Q. How can the Webhook feature benefit me?

 

 Webhook feature has a lot of practical day-to-day applications. Here are some use-cases where it can be used:

1. Sending a custom email from your server at the end of every successful transaction

2. Activation of a user’s account on your service

3. Sending a user the license key to your software

4. Adding a user to your CRM software

5. Adding the transaction to your accounting software

For geeks/programmers/alike (optional):

Q. How is the Message Authentication Code generated? 

We create a list of all values from the key-value pairs we’re about to send in the POST request and sort them in the order of their keys. We then concatenate all these values together, separated by a pipe (|) character. We then use the HMAC-SHA1 algorithm to generate the signature. The HMAC key for the signature generation is the secret salt from the user’s profile (please contact support@instamojo.com to share the URL to which you would like the POST request to be sent to and to gain access to your secret salt).

Q. How is the Message Authentication Code useful and do I need to use it? 

The Message Authentication Code for the payload is what you can use to verify that the POST request is indeed sent by Instamojo, versus someone else trying to impersonate Instamojo and/or gain access to your data/systems.
You don’t strictly need to use it since the data is sent in plain text, and therefore readable without verifying the MAC, it is a good idea to verify the MAC to ensure the integrity and authenticity of the POST request.

In short, using MAC is optional, but recommended as a security feature.

Sample code in Python

import hmac
import hashlib

# 'd' is the dictionary that corresponds to the POST request
# 'salt' is the key for the HMAC algorithm

mac_provided = d.pop(mac)

message = '|'.join(str(i) for i in zip(*sorted(d.iteritems()))[1])
mac_calculated = hmac.new(salt, message, hashlib.sha1).hexdigest()

if mac_provided == mac_calculated:
    # MAC is authenticated, proceed with fulfillment
else:
    # MAC authentication failed, deny fulfillment, inform Instamojo

For more detailed information about our Webhooks, please visit our support center here. And as always, we would love to get your feedback at support@instamojo.com.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.