HTTP POST Callbacks
Wyre sends HTTP POST callbacks notifications to update your system of transfer state transitions. All POST callbacks for a particular transfer are sent to the callbackUrl
parameter provided at the time of transfer quote creation.
State Changes
POST callbacks are sent whenever the transfer goes through a state change. Be sure to check the status of the transfer before you take any actions.
Payload
We will POST the full JSON representation of the transfer to your to callbackUrl
provided.
{"createdAt":1515616777388,
"id":"TF-QP334XYFC44-W",
"source":"wallet:WA-GU8GTMLGVL6",
"dest":"transfer:TF-QP334XYFC44",
"currency":"USD",
"amount":3413.52,
"status":"CONFIRMED",
"confirmedAt":1515616777388,
"cancelledAt":null,
"reversedAt":null,
"message":"Withdrawal for transfer TF-QP334XYFC44",
"allowOverdraft":false,
"authorizer":null,
"senderProvidedId":null,
"reversedBy":null,
"fees":0,
"feesDest":null,
"metadata":{"Description":"Pending: Transfer of $3413.52 to contact:CO-DGNTXYUUT4X","transferId":"TF-QP334XYFC44"},
"tags":[],
"sourceFees":null,
"destFees":null}
Callback Acceptance and Retries
Your system should respond to the callback request with a 200 response. We only attempt to send the request once, but we may introduce automatic retries in the future. We can manually resent callbacks upon request.
Security
In order to prevent callback spoofing we provide a signature with the callback passed back through the HTTP header X-API-Signature
.
This signature is a SHA256 HMAC signature of the JSON body signed with the account's first secret key. Below you can find example implementations of the signature.
Note: It's important to verify the signature in the callback, otherwise it is possible for the request to be spoofed by an external attacker.
Example
This example server-side code shows how to receive and verify a Wyre MassPay transfer callback
<?php
//we need the acccount's first secret key to calculate the HMAC
$secret_key = "my_secret_key";
//Retrieve data from server and parse it
$sig = $_SERVER['HTTP_X_API_SIGNATURE'];
$body = file_get_contents('php://input');
$json = json_decode($body, True);
//recreate signature of request body and compare to received signature
$hmac = hash_hmac('sha256', $body, $secret_key);
if ($hmac == $sig){
//valid snapcard message
$transfer_status = $json['STATUS'];
}else{
//handle signature failure
}
?>