Rewards Webhook

Send the reward outputs like points, merchandise, cashbacks, coupons to your servers
A webhook url can be provided to CustomerGlu to receive the rewards won by users in real-time
A POST request will be made to the specified Webhook URL . Example request body is as follows
"campaignId": "xyz41c29-bb0d-4fe6-8260-1403d1c0e964",
"type": "scratchcard",
"userId": "testuser1",
"rewardId": "xyzbb3ca-093f-43f2-84ba-8d5ed0d6c1b4",
//rewardId will be unique and can be used as a de-duplication filter
"rewardName": "200 Coins",
"rewardAmount": 400 //optional
"code": "CODE123"//optional
"details": {//optional
"userBName": "testuser2", //in case of a reward for a referral
"userBId": "testuser2"//in case of a reward for a referral
"userAName": "testuser0", //in case of a reward for a referral
"userAId": "testuser0"//in case of a reward for a referral
"rewardCategory": "RM",//custom attribute
"currency":"USD"//custom attribute
//details object can also contain any logic/business specific custom attributes which can be given as a campaign input//
Optionally, to verify the authenticity of request, a secret token can be provided to CustomerGlu.
When you set a token, you'll receive the X-CG-SIGNATURE header in the webhook POST request. value of this header will be a hmac hexdigest of the request body with the provided token. See on how to validate the requests

Validating Reward Webhook

const verifySignature = (reqBodyDigest, cgHeader) => {
return crypto.timingSafeEqual(Buffer.from(cgHeader), Buffer.from(`${reqBodyDigest}`));
app.use(bodyParser.urlencoded({ extended: true }));'/hook', (req, res) => {
const jsonString = JSON.stringify(req.body);
const reqBodyDigest = crypto.createHmac('sha1', token)
const cgHeader = req.headers['x-cg-signature'];
const verify = verifySignature(reqBodyDigest, cgHeader)
import hmac,hashlib,json
sampleObj = {"campaignId":"6bab1116-ae8e-4644-9cee-7a3d8ee9aff3","type":"direct","userId":"test-8-june-9","rewardId":"acdc71c6-08ad-4cd9-8c1e-3c812487b854","rewardName":"$15","rewardAmount":15,"details":{"currency":"USD","value":15,"reward_reason":"got_referred","userAName":"Test Solve 7","userAId":"test-8-june-7"}}
def generateSignature(incomingBody):
incomingBodyString = json.dumps(incomingBody, ensure_ascii=False, separators=(',', ':')).encode('utf-8')
return, incomingBodyString, hashlib.sha1).hexdigest()
def verifySignature(cgHeader,incomingBody):
return hmac.compare_digest(cgHeader,generateSignature(incomingBody))
CustomerGlu requires the raw body of the request to perform signature verification. If you are using a framework/library, make sure it doesn't manipulate the raw body. Any manipulation to the raw body of the request will cause the verification to fail.
private static String toHexString(byte[] bytes) {
Formatter formatter = new Formatter();
for (byte b : bytes) {
formatter.format("%02x", b);
return formatter.toString();
public static String calculateSHA1HMAC(String payload, String key)
throws SignatureException, NoSuchAlgorithmException, InvalidKeyException {
SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), HMAC_SHA1_ALGORITHM);
Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM);
return toHexString(mac.doFinal(payload.getBytes()));
function verifySignature($apiSecret)
$body = json_encode(file_get_contents('php://input')); // get json encoded body
$hmac = hash_hmac('sha1', $body, $apiSecret); // Generate HMAC from body and shared secret
$signature = $_SERVER['x-cg-signature']; // Get signature from request header
return $hmac == $signature; // compare request signature with generated signature.

Whitelisting CustomerGlu Webhook IPs

The following IP address(es) should be whitelisted by your Server, to receive Webhook requests from CustomerGlu: