Webhook Events

After every order that is confirmed by a user, Sardine will fire off a webhook to a URL designated by the developer.
A sample webhook ⬇️

{
  "eventType": "order.processed",
  "id": "90024712-0aae-46e8-9534-48007baa610d",
  "order": {
    "id": "6d5e2058-7a30-46c5-bbfe-b5e20d427e5a",
    "referenceId": null,
    "status": "Processed"
  }
}
For NFT Checkout, the different webhooks that can be expected are:
webhookdescription
draftClient has created an order and redirected user to purchase
expiredUser did not confirm the purchase and order expired
declinedUser attempted a purchase but their payment attempt was declined
cancelledOrder was cancelled
processingOrder was confirmed, waiting for payment
processedPayment was processed successfully
completeOrder was executed and delivered to user
To set up your webhook:
  1. Provide your webhook URL to your Sardine Integration Manager
  2. Your Sardine IM will set this up and then provide you with a signing_secret
In order to verify the webhook notification, follow these instructions:
  1. Construct the signedContent by concatenating the id, timestamp and payload, separated by the full-stop character (.). In code, it will look something like: signedContent = "${webhook-id}.${webhook-timestamp}.${body}" where body is the raw body of the request.
  2. To calculate the expected signature, you need to perform an HMAC hash on the signedContent from above using the base64 portion of your signing secret (this is the part after the whsec_ prefix) as the key. So if your signing secret is: whsec_ABCDmcQ8DpB7J6Yn4eZqkt48KRPy3a8n, you’ll want to use ABCDmcQ8DpB7J6Yn4eZqkt48KRPy3a8n
  3. This generated signature should match what is sent in the webhook-signature header; make sure to remove the version prefix and delimiter (e.g. v1,) before verifying the signature. Please note that to compare the signatures, it’s recommended to use a constant-time string comparison method in order to prevent timing attacks.