Webhook Events
Signature Verification
All webhook payloads are signed with your webhook secret using HMAC-SHA256. The signature is in the X-PartnerForge-Signature header:
X-PartnerForge-Signature: t=1707000000,v1=abc123...
To verify:
1. Extract timestamp (t) and signature (v1)
2. Compute HMAC-SHA256 of "{timestamp}.{body}" using your webhook secret
3. Compare hex-encoded result with v1
4. Reject if timestamp is older than 5 minutes
Events
affiliate.applied
An affiliate applied to one of your programs.
affiliate.approved
An affiliate was approved (manually or auto-approved).
conversion.created
A new conversion was tracked and attributed.
conversion.flagged
A conversion was flagged by the fraud detection engine (score > 20).
conversion.approved
A conversion was approved (either auto or manual).
conversion.rejected
A conversion was rejected.
commission.paid
A commission was paid out to the affiliate via Stripe Connect.
refund.detected
A refund was detected on a tracked sale. Commission will be reversed.
chargeback.created
A chargeback was created. Commission is held pending dispute resolution.
Retry Policy
Failed deliveries are retried up to 3 times with exponential backoff: 1 minute, 5 minutes, 30 minutes.