Webhooks and Event Notifications
The CSP API offers webhook events grouped into several categories. You can subscribe to these webhooks to receive a notification of events by category type. A subscription is created by associating a CSP webhook endpoint to a specified event category (see the example below). The webhook event itself is a flat-map JSON data structure that contains an eventType property (along with others) that provide important information.
Please be aware that new properties may be added in future releases. To ensure forward compatibility, you should make sure that webhook endpoints are capable of handling unexpected properties.
Property | Description | Required | Data Type |
|---|---|---|---|
eventType | Webhook event type | Yes |
|
cspId | CSP ID | No |
|
cnpId | CNP ID | No |
|
cspName | CSP display name | No |
|
brandId | Brand ID | No |
|
brandName | Brand display name | No |
|
brandReferenceId | Brand reference ID (visible to the brand creator) | No |
|
brandIdentityStatus | Updated brand identity status. Applicable to BRAND_IDENTITY_STATUS_UPDATE event | No |
|
campaignId | Campaign ID | No |
|
campaignReferenceId | Campaign reference ID (Visible to campaign creator) | No |
|
dcaId | DCA ID | No |
|
dcaName | DCA display name | No |
|
description | Description | No |
|
evpId | External Vetting Provider ID | No |
|
evpName | External Vetting Provider display name | No |
|
vettingId | External vetting ID | No |
|
mnoId | Mobile Network Operator ID. Developers can use the GET /enum/mno endpoint to retrieve a list of all MNOs. | No |
|
mnoName | Mobile Network Operator display name | No |
|
mock | Event associated with a mock brand if the mock attribute exists and is true. | No |
|
nudgeIntent | Nudge intent type. Applicable to the CAMPAIGN_NUDGE event. | No |
|
Webhook Example
Notification of campaign suspension by AT&T:
POST / HTTP/1.1
Host: tcr.requestcatcher.com
Accept: *.*
Connection: keep-alive
Content-Length: 226
Content-Type: application/json; utf-8
X-Registry-Signature: SmqzLvP6uQDM6DD2lfdLqwiJJbo=
{
"cspId" : "S123ABC", "brandName" : "Microsoft", "mnoName" : "AT&T",
"campaignId" : "C123ABC", "campaignReferenceId" : "C-XXXXX", "brandId" : "B123ABC",
"brandReferenceId" : "Q-XXXXXXXX", "mnoId" : 10017,
"eventType" : "MNO_CAMPAIGN_OPERATION_SUSPENDED",
"cspName" : "ACME"
}Webhook Delivery
Delivery Order
The CSP API delivers webhook events in chronological order. For example, a campaign registration might generate the following events for a CSP:
CAMPAIGN_ADD: A campaign was registered.
CAMPAIGN_SHARE_ACCEPT/CAMPAIGN_SHARE_DELETE: An upstream CNP accepted a campaign.
CAMPAIGN_DCA_COMPLETE: A campaign was accepted by all DCAs to which it was submitted.
The order of event delivery is exactly the same as the order in which the events were generated. In order to support this First In, First Out (FIFO) requirement, events are funneled through account-specific queues for delivery. There is only one active delivery worker per account/queue. While the delivery order is guaranteed, duplicate events are possible if there are network or system disruptions.
Webhook Retry Policy
The CSP API tries to ensure that each webhook event is accepted by a CSP’s registered webhook endpoint. If a webhook endpoint times out or errors out (e.g., an HTTP 400 response), The CSP API will attempt to retry delivery based on a set schedule (as shown below).
The CSP API will not move to the next event in the queue until the current pending event is accepted by a CSP’s endpoint, or if it is discarded following several retry attempts. Webhook endpoint should not be designed to reject webhook events that aren’t needed or recognized. Doing so will trigger additional retry attempts on failed events and prevent the timely delivery of other events in the queue.
Webhook Endpoint Response | Retry | Retry Strategy |
|---|---|---|
2xx | No | N/A |
3xx | No | N/A |
4xx | Yes | Exponential back-off with expiration |
5xx | Yes | Exponential back-off with expiration |
Network Error/Timeout | Yes | Linear retry with no expiration |
Exponential Back-Off Retry Schedule
After 13 failed retry attempts, the event is discarded. Currently, there are no methods for recovering these lost events.
Retry Count | Seconds to Next Retry | Total Seconds Elapsed |
|---|---|---|
1 | 61 | 61 (1 min) |
2 | 76 | 137 (2 mins) |
3 | 141 | 278 (4.6 mins) |
4 | 361 | 594 (10 mins) |
5 | 685 | 1279 (21 mins) |
6 | 1356 | 2635 (44 mins) |
7 | 2461 | 5096 (1.4 hours) |
8 | 4156 | 9252 (2.6 hours) |
9 | 6621 | 15873 (4.4 hours) |
10 | 10060 | 25933 (7 hours) |
11 | 14701 | 40574 (11 hours) |
12 | 20796 | 61370 (17 hours) |
13 | 28621 | 89991 (25 hours) |
Webhook Authentication
To ensure secure communication between the CSP API and subscriber applications, all webhook notifications will have an HMAC-SHA1 signed X-Registry-Signature authentication header. To verify the signed signature, follow these steps:
Canonicalize the JSON raw content (webhook notification body) into a string. If needed, refer to the JCS defined canonicalization scheme.
Build the string to be signed as
stringToSign = {webhook URL + canonicalized string}.Set
AuthKey = {subscriber's SECRET key}.Apply the HMAC-SHA1 algorithm on the
stringToSignwithauthKeyand get thesignedString. For more information, refer to the section “How to Validate a Webhook Signature using HMAC” in the Webhook Instructions for CSP API document.Compare the
X-Registry-Signaturevalue with thesignedStringto determine the authenticity of the webhook notification.
Webhook IP Addresses
When creating webhooks for CSP applications, the CSP API uses the following IP addresses per development environment:
Disaster Recovery IP addresses are servers in a different physical location than the primary data center, and are used in case the primary data center is rendered unusable.
Environment | IP Addresses |
|---|---|
Production | 44.199.36.118 |
QA and Staging | 3.226.115.168 |
Production (Disaster Recovery) | 54.68.153.249 |
QA and Staging (Disaster Recovery) | 35.80.199.186 |