/api/v1/webhooks webhooks:manageRegisters a webhook URL for event types. The HMAC signing secret is returned ONCE — store it. URLs resolving to private/internal addresses are rejected (SSRF guard). Verify deliveries with HMAC_SHA256(secret, "<timestamp>.<raw_body>") against X-Mystery-Signature, dedupe on X-Mystery-Delivery, and reject deliveries older than ~5 minutes.
POST /api/v1/webhooks write These inputs are shared across all docs pages — an id entered here carries over.
{
"url": "https://example.com/mystery-webhook",
"event_types": [
"purchase.fulfilled",
"purchase.refunded",
"buyback.confirmed",
"buyback.transfer_held",
"buyback.card_transferred",
"buyback.transfer_failed",
"redemption.prepared",
"redemption.updated"
]
}Not run yet — press Run to make a live call against https://staging-service.rip.fun (through this demo's server-side proxy; the API key never reaches the browser).
curl -X POST 'https://staging-service.rip.fun/api/v1/webhooks' \
-H 'X-API-Key: rip_v1_…' \
-H 'Content-Type: application/json' \
-d '{"url":"https://example.com/mystery-webhook","event_types":["purchase.fulfilled","purchase.refunded","buyback.confirmed","buyback.transfer_held","buyback.card_transferred","buyback.transfer_failed","redemption.prepared","redemption.updated"]}' | Field | Type | Required | Description |
|---|---|---|---|
url | string | yes | Public HTTPS endpoint (private/internal addresses rejected) |
event_types | string[] | — | deposit.credited, purchase.reserved/submitted/fulfilled/refunded/failed, buyback.confirmed/transfer_held/card_transferred/transfer_failed, redemption.prepared/updated — omit for all |
data)| Field | Description |
|---|---|
id / url / event_types / is_active | The registered webhook |
signing_secret | 64-hex HMAC secret — shown ONCE, store it now |
| Status | Code | When |
|---|---|---|
| 409 | webhook_limit | more than 20 webhooks registered |
See Errors for the response envelope and the full code list.