After every successful purchase, Sardine will fire off a notification or a webhook to a URL designated by the developer.
A sample webhook ⬇️

{
  "eventType": "order.processed",
  "id": "90024712-0aae-46e8-9534-48007baa610d",
  "order": {
    "id": "6d5e2058-7a30-46c5-bbfe-b5e20d427e5a",
    "referenceId": null,
    "status": "Processed"
  }
}
For NFT Checkout, the different that can be expected are:
  • order.processed - Sardine has processed the payment for this order. Merchant can now complete the transfer of the NFT to the buyer
  • order.declined - The order was declined by the payment processor or Sardine for high fraud risk
  • order.expired - The order expired before the buyer finished the purchase
  • order.cancelled - The order was cancelled
  • order.complete - The NFT was successfully delivered to the Buyer
To set up your webhook:
  1. Provide your webhook URL to your Sardine Integration Manager
  2. Your Sardine IM will set this up and then provide you with a signing_secret
In order to verify the webhook notification, follow these instructions:
  1. Construct the signedContent by concatenating the id, timestamp and payload, separated by the full-stop character (.). In code, it will look something like: signedContent = "${webhook-id}.${webhook-timestamp}.${body}" where body is the raw body of the request.
  2. To calculate the expected signature, you need to perform an HMAC hash on the signedContent from above using the base64 portion of your signing secret (this is the part after the whsec_ prefix) as the key. So if your signing secret is: whsec_ABCDmcQ8DpB7J6Yn4eZqkt48KRPy3a8n, you’ll want to use ABCDmcQ8DpB7J6Yn4eZqkt48KRPy3a8n
  3. This generated signature should match what is sent in the webhook-signature header; make sure to remove the version prefix and delimiter (e.g. v1,) before verifying the signature. Please note that to compare the signatures, it’s recommended to use a constant-time string comparison method in order to prevent timing attacks.