Webhook notifications

Tango dispatches event notifications by initiating a POST request to the URL you specified during the event subscription process. These notifications are transmitted in JSON format and accompanied by a distinctive header signature, represented as YOURURL. The header signature serves as a clear indicator that the call is originating from Tango. This signature mechanism ensures the authenticity and integrity of the event data, enhancing the trustworthiness of the information you receive through the webhook.

Here is a generic response:

-- Webhook Notification
curl --request POST \
     --url <<yourURL>> \
     --header 'accept: application/json' \
     --header 'authorization: your key values' \
     --header 'content-type: application/json'
     --header 'X-Signed-Payload: {Event Signature}'
     --header 'Key: value'
     --data '
{
 "eventId": "1234-123-123-123456",
 "revision": 765,
 "category": ["string"],
 "eventTypes": ["string"],
 "eventOccurredAt": "2019-06-03T00:57:16Z",
 "eventData": {
   event data specific to the event
 }'

-- Expected Response
200 OK

πŸ“˜

Note:

  • Notifications may not be in chronological order. Utilize revision to determine the order.
  • Validate the header signature to make sure the call is coming from Tango.
  • Allowlist IP addresses supplied by Tango and only accept requests coming from the following IP addresses for additional security:
    • Sandbox: (3.217.205.241)
    • Production: (13.52.34.251 and 52.8.94.202)

Tango employs a secure event signing process accomplished through the inclusion of the X-Signed-Payload signature in the header of the event. This signature is generated by Tango through a two-step process:

  1. Encryption with the registered signing certificate (public key): Tango encrypts the event's body using the registered signing certificate (public key).
  2. Base64 encoding of the encrypted result: The encrypted data is then base64 encoded to produce the signature.

To confirm the authenticity of the event and its origin from Tango, you must undertake the following verification steps. This meticulous verification process ensures the integrity and security of the event data, offering a robust mechanism to ascertain its Tango origin and protect against tampering or unauthorized access:

  1. Base64 decoding: Begin by base64 decoding the received signature.
  2. Decryption with the private key: Next, decrypt the decoded signature using your private key.

Rewards as a Service™ and the RaaS® API are provided by Tango Card, Inc. © 2024 Tango Card, Inc.