Skip to main content

Custom reward: Accumulating referral rewards in your own platform

Use a ReferralCandy webhook to receive each referred purchase in real time and credit custom rewards automatically in your own system.

Written by Adam

This is the developer reference for the custom-reward webhook — the payload ReferralCandy sends, how to verify it, and what your endpoint should return. For what a custom reward is, when to use one, and a plain-language overview of what setting up a webhook involves, see Advocate Reward: Custom.

Once Custom is selected as your campaign's advocate reward and you've let us know the webhook URL to use, ReferralCandy calls that URL with the referral's details and a signature for authentication every time a referral is detected.

Note: Setting up and handling a webhook involves development work on your side. ReferralCandy can't troubleshoot custom code or your own integration.


The webhook payload

When a referred purchase is detected, ReferralCandy sends a JSON payload to your URL with these fields:

Field

Description

referral_email

Email address of the referred friend.

referral_timestamp

UNIX timestamp of when the referred purchase was made.

referring_email

Email address of the referring advocate.

Example payload:

{
"referral_email": "friend@example.com",
"referral_timestamp": 1434439382,
"referring_email": "advocate@example.com"
}

Verifying the webhook signature

Each webhook notification includes the HTTP_X_REFERRAL_CANDY_SIGNATURE header — an MD5 hash of your API secret combined with the data sent in the request. To confirm a notification really came from ReferralCandy, calculate the same MD5 hash and check that it matches the value of the HTTP_X_REFERRAL_CANDY_SIGNATURE header.

Get your API secret from Account > Profile in your ReferralCandy dashboard, under API Tokens — it's the API Secret ID field.

If you're using a Rack-based framework such as Ruby on Rails or Sinatra, the header is exposed as HTTP_X_REFERRAL_CANDY_SIGNATURE.

A Ruby example:

require 'digest/md5'
# obtain from Account > Profile > API Tokens (API Secret ID)
API_SECRET = "your_secret"

def webhook_verified?(request)
data = request.body.read
signature = Digest::MD5.hexdigest("#{API_SECRET}#{data}")
signature == request.env["HTTP_X_REFERRAL_CANDY_SIGNATURE"]
end

Note: ReferralCandy expects your endpoint to respond with HTTP status code 200. If it doesn't, ReferralCandy emails you to let you know — the webhook isn't retried, but the reward isn't lost. The webhook is only a notification and doesn't affect your referral program.

Did this answer your question?