Webhooks

Name: FazerCards Reseller Platform
Brand: FazerCards
Price: 9.99 USD
Availability: InStock
Rating: 4.8 (9 reviews)

Receive real-time notifications when order status changes. Signed JSON payloads, easy verification.

A webhook is an HTTP callback — when an order status changes, we send a POST request to your URL with the event data. You don't need to poll; you get instant notifications.

Setup

Via Reseller Panel

Go to Profile → Webhook notifications, enter your webhook URL (https:// or http://), click Save webhook, copy the secret shown in the modal — it is displayed only once.

Via API

Set webhook URL (returns secret once):

bash

curl -X POST "https://api.fazercards.com/api/v1/me/webhook" \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"webhook_url": "https://your-server.com/webhook"}'

Events

Webhook receives only order status change events. No configuration needed.

Status	When triggered
completed	Order completed — codes delivered
refunded	Order refunded
failed	Order failed or error

Payload Format

Each webhook request is a JSON object:

Payload fields: event — always order.status_changed; timestamp — ISO 8601; data — order_id, status, type, amount_charged, currency, product_name, codes (array, empty for failed/refunded), created_at, updated_at.

json

{
  "event": "order.status_changed",
  "timestamp": "2026-03-14T12:34:56.789Z",
  "data": {
    "order_id": "ord_xxx",
    "status": "completed",
    "type": "gift_card",
    "amount_charged": 5.00,
    "currency": "USDT",
    "product_id": "prod_xxx",
    "product_name": "Steam $10",
    "codes": ["XXXX-YYYY-ZZZZ"],
    "created_at": "2026-03-14T12:00:00Z",
    "updated_at": "2026-03-14T12:34:56Z"
  }
}

For completed orders, codes contains the delivered redemption codes. For refunded or failed, codes is empty.

Failed order example

json

{
  "event": "order.status_changed",
  "timestamp": "2026-03-14T12:34:56.789Z",
  "data": {
    "order_id": "ord_xxx",
    "status": "failed",
    "type": "gift_card",
    "amount_charged": 5.00,
    "currency": "USDT",
    "product_name": "Steam $10",
    "codes": [],
    "created_at": "2026-03-14T12:00:00Z",
    "updated_at": "2026-03-14T12:34:56Z"
  }
}

Signature Verification

docs.webhooks.signatureDesc

The signature proves the request came from FazerCards. Without verification, an attacker could forge webhooks. Always verify before processing.

Node.js example

javascript

const crypto = require('crypto');

function verifyWebhookSignature(rawBody, signature, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature, 'utf8'),
    Buffer.from(expected, 'utf8')
  );
}

// Usage (Express)
app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
  const sig = req.headers['x-webhook-signature'];
  if (!verifyWebhookSignature(req.body.toString(), sig, process.env.WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }
  const payload = JSON.parse(req.body.toString());
  // Process payload...
  res.status(200).send('OK');
});

Python example

python

import hmac
import hashlib

def verify_webhook_signature(raw_body: bytes, signature: str, secret: str) -> bool:
    expected = 'sha256=' + hmac.new(
        secret.encode(),
        raw_body,
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(signature, expected)

# Usage (Flask)
@app.route('/webhook', methods=['POST'])
def webhook():
    raw_body = request.get_data()
    sig = request.headers.get('X-Webhook-Signature', '')
    if not verify_webhook_signature(raw_body, sig, os.environ['WEBHOOK_SECRET']):
        return 'Invalid signature', 401
    payload = request.get_json()
    # Process payload...
    return 'OK', 200

Regenerate Secret

If you need to rotate the secret (e.g. after a leak):

bash

curl -X POST "https://api.fazercards.com/api/v1/me/webhook/regenerate" \
  -H "X-API-Key: YOUR_API_KEY"

Retry Policy

No retries. Fire-and-forget. Endpoint must return 200 within ~5s.

Security Recommendations

Always verify the signature
Use HTTPS in production
Store the secret securely
Respond quickly (200 within seconds); do heavy work asynchronously

Webhook API Endpoints

GET/me/webhook

Get current webhook config

POST/me/webhook

Set webhook URL (returns secret once)

PUT/me/webhook/settings

Update webhook URL

POST/me/webhook/regenerate

Regenerate secret (returns new secret once)

DELETE/me/webhook

Remove webhook

POST/me/webhook/test

Send a test event