The Tremendous API supports a callback system allowing you to react to the various events that happen within your organization's account.

The system uses webhooks to send notifications to one of your servers over HTTPS.

List of available events

  • CAMPAIGNS.CREATED
  • CAMPAIGNS.DELETED
  • FUNDING_SOURCES.CREATED
  • FUNDING_SOURCES.DELETED
  • FUNDING_SOURCES.FUNDED
  • INVOICES.CREATED
  • INVOICES.DELETED
  • INVOICES.PAID
  • MEMBERS.CREATED
  • MEMBERS.DELETED
  • MEMBERS.INVITED
  • ORDERS.APPROVED
  • ORDERS.CANCELED
  • ORDERS.CREATED
  • ORDERS.FAILED
  • ORGANIZATIONS.CREATED
  • ORGANIZATIONS.DELETED
  • PRODUCTS.ADDED
  • PRODUCTS.REMOVED
  • REWARDS.CANCELED
  • REWARDS.CREATED
  • REWARDS.DELIVERY.FAILED
  • REWARDS.DELIVERY.SUCCEEDED

Webhook setup

Every organization can set up a single endpoint to where we will send webhook requests. You can configure that receiving endpoint (e.g. its URL) via the API. See the API reference for the webhook endpoints.

📘

The configured receiver will be notified about every event that occurs within your account. You cannot pre-select which events get sent, but you can filter events on the receiver according to your needs.

Webhook requests

Webhooks will be sent as HTTP POST requests. The request body is a JSON document that looks like this:

{
  "event": "CAMPAIGNS.CREATED",
  "uuid": "5ccc7bb1-7659-4e23-a407-77d8cd9c62f5",
  "created_utc": "2021-04-06T20:05:01.037-04:00",
  "payload": {
    "resource": {
      "id": "2V3PCCL7QXDA",
      "type": "campaigns"
    },
    "meta": {
    }
  }
}

Request properties

Property

Description

event

Type of the event (see list of events)

uuid

Unique ID of the webhook itself (can be used to avoid executing the same webhook twice / see Responding to Webhooks / Errors & Retries)

created_utc

Timestamp when the event happened

payload

Details on the event and it's context (the other top-level properties describe meta information about the event)

payload.resource

Describes the main resource this event is referring to (e.g. a specific campaign for the CAMPAIGNS.CREATED event)

payload.resource.id

Tremendous ID of the resource (can be used to obtain details about the resource through a separate API call)

payload.resource.type

What kind of resource this event is referring to. Possible values:

campaigns
funding_sources
invoices
members
orders
organizations
products
rewards

payload.meta

Currently not used / Always an empty object ({})

Responding to webhooks / errors & retries

The endpoint that receives webhooks from our system must respond with a 200 HTTP response code. If it fails to do so, the same webhook will be retried up to 20 times, with an exponential delay (backoff) between attempts.

Please make sure to check the webhook's uuid field on every webhook to ensure you are not reacting to the same event multiple times.

📘

We recommend setting up your webhook endpoint such that it processes webhooks asynchronously, out of the request/response loop (e.g. a worker queue). This ensures that Tremendous gets a timely response and thus won't retry the webhook request.

Webhook verification

To verify that the webhook sent to your receiver originates from Tremendous, every request is signed. You can find the signature in a HTTP request header named Tremendous-Webhook-Signature. The header's value is always a prefix (sha256=), followed by the actual signature.

The signature is signing the whole request body using HMAC-SHA256 in a hexadecimal representation.

You can obtain the private key used for the signature during the configuration of your webhook endpoint. It will be returned in the API response when you create the webhook or when you retrieve a webhook through the API.

Verification example (Ruby):

def request_valid?(private_key:, request:)
  signature_header = request.headers['Tremendous-Webhook-Signature']
  algorithm, received_signature = signature_header.split('=', 2)

  expected_signature = OpenSSL::HMAC.hexdigest(
    OpenSSL::Digest.new('sha256'), private_key, request.body.read
  )

  received_signature == expected_signature
end

Multiple webhook receiver

If you need to receive webhooks to multiple endpoints:

  1. Setup a central receiving endpoint on your side
  2. Let that receiver fan out notifications to other parts of your infrastructure