Webhook Events

Signature Verification

All webhook payloads are signed with your webhook secret using HMAC-SHA256. The signature is in the X-PartnerForge-Signature header:

X-PartnerForge-Signature: t=1707000000,v1=abc123...

To verify:
1. Extract timestamp (t) and signature (v1)
2. Compute HMAC-SHA256 of "{timestamp}.{body}" using your webhook secret
3. Compare hex-encoded result with v1
4. Reject if timestamp is older than 5 minutes

Events

affiliate.applied

An affiliate applied to one of your programs.

affiliate.approved

An affiliate was approved (manually or auto-approved).

conversion.created

A new conversion was tracked and attributed.

conversion.flagged

A conversion was flagged by the fraud detection engine (score > 20).

conversion.approved

A conversion was approved (either auto or manual).

conversion.rejected

A conversion was rejected.

commission.paid

A commission was paid out to the affiliate via Stripe Connect.

refund.detected

A refund was detected on a tracked sale. Commission will be reversed.

chargeback.created

A chargeback was created. Commission is held pending dispute resolution.

Retry Policy

Failed deliveries are retried up to 3 times with exponential backoff: 1 minute, 5 minutes, 30 minutes.