Webhooks

Learn how to use webhooks to receive real-time updates on important events related to your TGmembership-powered Telegram bot.

TGmembership offers support for webhooks, allowing you to receive real-time updates on crucial events related to your Telegram bot. Webhooks provide push API calls that can notify your application when specific events occur, such as new payments, renewals, cancellations, donations, and other relevant data. By configuring your webhook URL, you can start receiving real-time updates in JSON format and stay informed about critical events.
Setting Up a Webhook
​To learn how to generate add a webhook endpoint, please refer to our guide on Setting Up a Webhook.​
Payload Schema
The webhook payload for TGmembership has a simple schema with three elements: "event", "debug_id", and "data". The "event" element specifies the type of event that has occurred, while "debug_id" provides an identifier for debugging purposes. The "data" element contains element-specific data related to the event. Each event has its own data structure, which will be detailed separately in the documentation.
Key
Description
event
A string representing the type of event that triggered the webhook, such as "order_completed" or "membership_terminated".
debug_id
A string identifier for the webhook event, which is not guaranteed to be unique and is used solely for debugging purposes. If you have any questions or issues related to an event, please provide this ID when contacting TGmembership support team.
data
An object containing data related to the event that triggered the webhook. The structure and contents of this object will vary depending on the type of event.
Verifying the Signature
To generate the signature for the webhook request, several steps are taken. First, a string is created by concatenating the nonce (provided in the header), timestamp, and the payload data using a period as a delimiter. The resulting string is then passed through a hashing algorithm called sha512 along with a secret key to generate a unique hash. The hash is then transformed to uppercase characters. Finally, the timestamp and the resulting hash are combined into a signature string using the format t=<timestamp>,v1=<hash>. This signature string is then included as a header with the webhook request to authenticate and validate the request.
Python
import re
import hashlib
import hmac
​
nonce = '53ed4554ef588'
signature = 't=1684096282,v1=8A3E2807CFA4C964597ECC02C4DED09007AC0966D3C2A696F2D0B189CC9740E153EFA8630BE598AF92984B60B3F3584BE24827829B044229A8E0C26EF31650B0'
payload = '{"event":"membership_terminated","debug_id":"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN","data":{"member_id":1111111111}}'
​
def verifySignature(nonce, signature, payload):
    match = re.match(r'^t=(\d+),v1=[A-Z0-9]+$', signature)
    if not match:
        return False
    timestamp = match.group(1)
    expectedSignature = generateSignature(nonce, timestamp, payload, 'something')
    return hmac.compare_digest(expectedSignature, signature)
​
def generateSignature(nonce, timestamp, post, secretKey):
    signature_string = f"{nonce}.{timestamp}.{payload}"
    signature = hmac.new(secretKey.encode(), signature_string.encode(), hashlib.sha512).hexdigest().upper()
    return f"t={timestamp},v1={signature}"
​
print(verifySignature(nonce, signature, payload))
Node.js
const crypto = require('crypto');
​
const nonce = '53ed4554ef588';
const signature = 't=1684096282,v1=8A3E2807CFA4C964597ECC02C4DED09007AC0966D3C2A696F2D0B189CC9740E153EFA8630BE598AF92984B60B3F3584BE24827829B044229A8E0C26EF31650B0';
const payload = '{"event":"membership_terminated","debug_id":"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN","data":{"member_id":1111111111}}';
​
function verifySignature(nonce, signature, payload) {
    const signatureParts = signature.match(/^t=(\d+),v1=[A-Z0-9]+$/);
    if (!signatureParts)
        return false;
    const timestamp = signatureParts[1];
    return generateSignature(nonce, timestamp, payload, 'something') === signature;
}
​
function generateSignature(nonce, timestamp, payload, secretKey) {
    const signatureString = nonce + '.' + timestamp + '.' + payload;
    const signature = crypto
        .createHmac('sha512', secretKey)
        .update(signatureString)
        .digest('hex')
        .toUpperCase();
    return `t=${timestamp},v1=${signature}`;
}
​
console.log(verifySignature(nonce, signature, payload));
PHP
<?php
$nonce = '53ed4554ef588';
$signature = 't=1684096282,v1=8A3E2807CFA4C964597ECC02C4DED09007AC0966D3C2A696F2D0B189CC9740E153EFA8630BE598AF92984B60B3F3584BE24827829B044229A8E0C26EF31650B0';
$payload = '{"event":"membership_terminated","debug_id":"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN","data":{"member_id":1111111111}}';
​
function verifySignature($nonce, $signature, $payload) {
    if (!preg_match('/^t=(\d+),v1=[A-Z0-9]+$/', $signature, $signatureParts))
        return false;
    $timestamp = $signatureParts[1];
    return hash_equals(generateSignature($nonce, $timestamp, $payload, 'something'), $signature);
}
​
function generateSignature($nonce, $timestamp, $payload, $secretKey) {
    $signature = $nonce . '.' . $timestamp . '.' . $payload;
    $signature = strtoupper(hash_hmac('sha512', $signature, $secretKey));
    $signature = sprintf('t=%d,v1=%s', $timestamp, $signature);
    return $signature;
}
​
var_dump(verifySignature($nonce, $signature, $payload));
Webhook Delivery
TGmembership sends webhook updates to your endpoint as soon as they happen. Once an update is sent, TGmembership expects a response with http code 200 to confirm successful delivery.
If the first delivery attempt fails, TGmembership will automatically try to redeliver the update up to seven times, using the following schedule:
2nd attempt: approximately 2 minutes after the first attempt
3rd attempt: approximately 20 minutes after the second attempt
4th attempt: approximately 6 hours after the third attempt
5th attempt: approximately 14 hours after the fourth attempt
6th attempt: approximately 30 hours after the fifth attempt
7th attempt: approximately 2 days after the sixth attempt
If after the seventh attempt, the update still cannot be delivered, it will be considered unsuccessful, and TGmembership may delete the webhook endpoint to prevent further delivery attempts.
Request Headers
When a webhook event is sent to your server, it will include three custom headers to help you verify the authenticity of the request and understand its delivery status.
Header
Description
TGMEMBERSHIP-NONCE
This header contains a random string that is generated for each request.
TGMEMBERSHIP-SIGNATURE
This header contains a cryptographic signature that is generated based on the request payload and a secret key shared between TGmembership and your server. You can use this signature to verify that the request came from TGmembership and has not been modified in transit.
TGMEMBERSHIP-DELIVERY-ATTEMPT
This header contains a number that indicates how many times TGmembership has attempted to deliver this event to your server. In case of delivery failures, TGmembership will try up to 7 times to deliver the event before giving up. The header value will be incremented for each attempt.
​
Event: order_completed
This event is triggered when an order has been successfully completed and payment has been received.
Key
Description
amount
A string representing the amount of payment made.
currency
A string representing the currency code for the payment.
is_donation
A boolean indicating whether the payment was a donation or not.
is_renewal
A boolean indicating whether the payment was a renewal or not.
member_id
An integer representing the Telegram user ID of the member.
order_date
An integer representing the date and time (in Unix timestamp format) when the payment was made.
order_key
A string representing a unique identifier for the payment order.
payment_method
A lower-cased string representing the payment method used (e.g., stripe, paypal, etc.).
plan_id
An integer representing the plan ID associated with the payment.
referred_by
An integer representing the Telegram user ID of the member who referred the paying member.
subscription_id
A string representing a unique identifier for the subscription.
{
  "event": "order_completed",
  "debug_id": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN",
  "data": {
    "amount": "10",
    "currency": "EUR",
    "is_donation": false,
    "is_renewal": true,
    "member_id": 1111111111,
    "order_date": 1684080114,
    "order_key": "abcdefghijklmnopqrstuvwxyz",
    "payment_method": "stripe",
    "plan_id": 1,
    "referred_by": 2222222222,
    "subscription_id": "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  }
}
Note: The elements currency, order_key, plan_id, is_renewal, referred_by, and subscription_id may not be included in the webhook payload if they are not relevant or their value is null.
Event: membership_terminated
This event is triggered when a member's subscription has been terminated.
Key
Description
member_id
An integer representing the Telegram user ID of the member.
{
  "event": "membership_terminated",
  "debug_id": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN",
  "data": {
    "member_id": 1111111111
  }
}

Key	Description
event	A string representing the type of event that triggered the webhook, such as "order_completed" or "membership_terminated".
debug_id	A string identifier for the webhook event, which is not guaranteed to be unique and is used solely for debugging purposes. If you have any questions or issues related to an event, please provide this ID when contacting TGmembership support team.
data	An object containing data related to the event that triggered the webhook. The structure and contents of this object will vary depending on the type of event.

Header	Description
TGMEMBERSHIP-NONCE	This header contains a random string that is generated for each request.
TGMEMBERSHIP-SIGNATURE	This header contains a cryptographic signature that is generated based on the request payload and a secret key shared between TGmembership and your server. You can use this signature to verify that the request came from TGmembership and has not been modified in transit.
TGMEMBERSHIP-DELIVERY-ATTEMPT	This header contains a number that indicates how many times TGmembership has attempted to deliver this event to your server. In case of delivery failures, TGmembership will try up to 7 times to deliver the event before giving up. The header value will be incremented for each attempt.

Key	Description
amount	A string representing the amount of payment made.
currency	A string representing the currency code for the payment.
is_donation	A boolean indicating whether the payment was a donation or not.
is_renewal	A boolean indicating whether the payment was a renewal or not.
member_id	An integer representing the Telegram user ID of the member.
order_date	An integer representing the date and time (in Unix timestamp format) when the payment was made.
order_key	A string representing a unique identifier for the payment order.
payment_method	A lower-cased string representing the payment method used (e.g., stripe, paypal, etc.).
plan_id	An integer representing the plan ID associated with the payment.
referred_by	An integer representing the Telegram user ID of the member who referred the paying member.
subscription_id	A string representing a unique identifier for the subscription.

Key	Description
member_id	An integer representing the Telegram user ID of the member.

Set your own Terms of Service

Setting Up a Webhook

Last modified 11d ago