Webhooks

General guidance

If you are using a Discord webhook, you can ignore all the below instructions. For customizing message fully, set a channel here instead.

Create Webhook

Configure your first webhook to receive instant & live notifications about things happening with your account.

Signing/Validating

To verify the authenticity of a webhook request and its payload, each webhook request includes a X-VaultCord-Signature header with a HMAC signature comprised of the JSON encoded request body and your webhook secret. Your webhook secret can be copied here.

We use SHA-512 HMAC, not SHA256 like some lower quality e-commerce services use.

Every request will be sent from 45.33.155.66, so you could use this to verify it’s a legitimate request if you can’t use encryption for whatever reason.

Signature verification code samples

PHP

<?php
  $payload = file_get_contents('php://input');
  $secret = 'WEBHOOK_SECRET'; // replace with your webhook secret, you can find it in the Developer page on the VaultCord dashboard.
  $header_signature = $_SERVER['HTTP_X_VAULTCORD_SIGNATURE']; // get our signature header
  $signature = hash_hmac('sha512', $payload, $secret);

  if (hash_equals($signature, $header_signature)) {
    // handle valid webhook
  } else {
    // invalid webhook
  }
?>

Node JS

const crypto = require('crypto');
const secret = 'WEBHOOK_SECRET'; // replace with your webhook secret, you can find it in the Developer page on the VaultCord dashboard.
const headerSignature = req.headers['x-vaultcord-signature'];
const payload = req.body;

const signature = crypto
  .createHmac('sha512', secret)
  .update(payload)
  .digest('hex');

if (crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(headerSignature, 'utf-8'))) {
  // handle valid webhook
} else {
  // invalid webhook
}

Python

import hashlib
import hmac
import sys

payload = sys.stdin.buffer.read()
secret = b'WEBHOOK_SECRET' # replace with your webhook secret, you can find it in the Developer page on the VaultCord dashboard.
header_signature = bytes.fromhex(sys.stdin.headers['X-VaultCord-Signature']) # get our signature header
signature = hmac.new(secret, payload, hashlib.sha512).hexdigest()

if hmac.compare_digest(signature, header_signature):
  # handle valid webhook
else:
  # invalid webhook

Events

Each webhook request will contain an event JSON key in the request body. A list of supported events from Webhook Endpoints can be found below.

Event	Description
`member.verified`	Member Verified.
`member.pull_started`	Member Pull Started.
`donation.paid`	One of your members donated to you.
`market.paid`	The order has been flagged as paid, this is the final state.
`market.refunded`	An order has been partially refunded, because some members didn’t arrive
`market.added`	A new marketplace seller has been added

Logs

Each webhook request will create a Webhook Log. The object is created by the request that has been sent. It will contain all headers, and the request + response body. If your website blocks our request (always coming from IP 45.33.155.66) you can find the RayID in the headers to see what Cloudflare rule our request triggered.

Logs will only be kept for up to 14 days. After this period they will be deleted

API Documentation

Information

Members

Marketplace

Servers

Bots

Backups

Blocklists

Allowlists

Alerts

General guidance

Create Webhook

Signing/Validating

Signature verification code samples

Events

Logs

API Documentation

Information

Members

Marketplace

Servers

Bots

Backups

Blocklists

Allowlists

Alerts

​General guidance

Create Webhook

​Signing/Validating

​Signature verification code samples

​Events

​Logs

General guidance

Signing/Validating

Signature verification code samples

Events

Logs