Partner Integration

Last updated 1 year ago

Was this helpful?

Partner Integration

Summary

Version v1
Release date 30/04/2023

GalaxyJoy Webhook provides webhook events that send to your endpoint with gj-signature in the header. You can receive webhook events in which an object changes and secured with an e-signature between sender and receiver.

Before you can verify signatures, you need to register the endpoint by contact to GalaxyJoy () and receive an endpoint's SecretKey. If you use multiple endpoints, you must obtain a SecretKey for each one you want to verify signatures on.

Integration guidelines

Event Type

All events always contain event type as an attribute event_type. Event types are represented by actions in which objects occur. Each event_type contains two parts including object name (user) and action (created)

List available event types:

Event Type

Description

Available

Payload

user.created

User created

Yes

user.updated-profile

User profile updated

Yes

user.updated-ekyc

User ekyc updated

Yes

user.updated-balance

User balance updated

Yes

user.updated-tier

User tier updated

Yes

user.activated

User activated

Yes

user.deleted

User deleted

Yes

Signature Version

v1 version is the first algorithms which GalaxyJoy Webhook support by default

Version

Description

Available

v1

algorithm using the SHA-256 hashing function.

Yes

Receiver webhook

Method: POST

Receive headers

    "Content-Type": "application/json"
    "gj-signature": "t=1681309224070,v1=6f85d9fc3bb10758ab35d84c05387c18bde44d8f446dc4af2ad6a2b335da79d0"

Receive body

{
    "event_type": "user.created",
    "event_id": "8ee4419d-04d8-48e9-a164-f0559b14cdf1",
    "timestamp": 1681729294,
    "body": {}
}

the Header Content-Type the content type that sender has been sent
Header gj-signature the header signature that provided by GalaxyJoy Webhook. It's value contains:
Body event_id The event unique id
Body timestamp The timestamp in second
Body body The object payload data

Verify signatures

Normally, client http will receive a raw body when headers Content-Type: application/json, but some applications can use a middleware that parse body to Json format. So, if your application has been implement body parse json, you need to change your endpoint which register on GalaxyJoy Webhook to receive raw body.

Example with NodeJS

// app.js
'use strict';

// This example uses Express to receive webhooks
const express = require('express');
const crypto = require('crypto');

const endpointSecret = 'gj_test_...';
const versionV1 = 'v1';

const app = express();

const signBodyV1 = function(payload, timestamp) {
    const hmac = crypto.createHmac('sha256', endpointSecret);
    const payloadStr = typeof payload == 'object' ? JSON.stringify(payload) : payload;
    const signatureData = `${timestamp}.${versionV1}.${payloadStr}`;
    return hmac.update(signatureData).digest('hex');
}
const verifyHeader = function(signatureHeader) {
    const [timeData, ...signatureVersions] = signatureHeader.split(',');
    if (!timeData || !signatureVersions.length) {
        throw new Error('Invalid signature header');
    }
    const [_t, timestamp] = timeData.split('=');
    const signatures = signatureVersions.map((signatureVersion) => {
        const [version, signature] = signatureVersion.split('=');
        return { version: version, value: signature };
    });
    return {
        signatures: signatures,
        timestamp: Number(timestamp),
    };
}

const getEvent = function(rawBody, signatureHeader) {
    const payload = rawBody instanceof Uint8Array
            ? new TextDecoder('utf8').decode(rawBody)
            : rawBody;

    const { signatures, timestamp } = verifyHeader(signatureHeader);
    const clientSignature = signBodyV1(payload, timestamp);

    const signatureV1 = signatures.find((signature) => signature.version === versionV1);
    if (signatureV1.value !== clientSignature) {
        throw new Error('Invalid signature')
    }
    
    const event = JSON.parse(payload);
    return event;
}

// Match the raw body to content type application/json
app.post('/webhook', express.raw({type: 'application/json'}), (request, response) => {
    const signatureHeader = request.headers['gj-signature'];
    const rawBody = request.body; // remember to use rawBody in the signature verification below
    const event = getEvent(rawBody, signatureHeader);
  
    // Return a response with status code 200 to acknowledge receipt of the event
    return response.json({receivedEvent: event.event_type});
});

app.listen(3000, () => console.log('Running on port 3000'));

Run: node app.js

Last updated 1 year ago

Was this helpful?