Webhooks are a way in which an application or system provides real-time information to other applications when one or more events occur. In other words, it is a way to receive data between two systems passively through an HTTP POST request.
In our case, TuCambioAPI will send notifications for each payment status change to the notification URL specified by the client.
Example Notification POST
{
id: '02ba8ea8-8a9c-4c2d-b999-6f9d709341f0',
status: 'COMPLETED',
exchangeRate: 4.02,
amount: 1000,
subtotal: 1000,
totalDue: 1000,
recipientEmail: null,
recipientFullName: 'Jose Campos',
recipientDni: '12345678-1',
recipientIdentityDocument: 'DNI',
recipientBank: 'Interbank',
recipientAccountType: 'Cuenta Ahorro',
recipientAccountNumber: '0034191952258900',
recipientAmount: 4020,
dateOrderInProcess: null,
dateOrderCompleted: '2024-06-27T15:45:23.228-04:00',
fromCurrencyId: 14,
toCurrencyId: 4
}
Signature of Notifications
To make the queries more secure and to ensure that the notifications received were sent by Tu Cambio API, we use an HMAC signature with a secret key.
An HMAC signature is calculated using the key-value pairs of a request and a secret key, known only by you and Tu Cambio. By verifying this signature, you will confirm that the notification was not modified during transmission.
Tu Cambio will sign each POST notification using the same method described in the Security section (HMAC-SHA256 hash function).
Simply take the HTTP Authorization header from the notification and compare it with the one you generated using your secretKey, and the Request body of the received notification. If the signature you generated matches the one received in the HTTP Authorization header, then it is safe to assume that it is a valid message sent from Tu Cambio API.