With the web hook endpoints, you can subscribe and unsubscribe to events within your Referral Rock account. To subscribe and unsubscribe, call the endpoints respectively described here and here. the set of events supported is listed below. the sample included with each event is an example of the request body that will be sent with the post request to the endpoint specified.
Available events for Programs:
{
"EventType": "ProgramAdd"
"Id": "00000000-0000-0000-0000-000000000000",
"IsActive": true,
"IsDefault": true,
"Name": "New Referrals Program",
"Type": "Web",
"Title": "New Referrals Program",
"MemberOffer": "Gift Card",
"ReferralOffer": "Another Gift Card",
"DirectUrl": "http://www.example.com",
"WidgetUrl": "http://widget.example.com",
"LoginUrl": "http://login.example.com",
"RegistrationViews": 0,
"MembersRegistered": 0,
"MemberViews": 0,
"ReferralViews": 0,
"ReferralsCreated": 0,
"ReferralsApproved": 0,
"MembersActive": 0,
"MembersDisabled": 0,
"ReferralsPending": 0,
"ReferralsQualified": 0,
"ReferralsDenied": 0,
"ReferralsApprovedAmount": 0.0,
"RewardsCreated": 0,
"RewardsPending": 0,
"RewardsIssued": 0,
"RewardsIssuedAmount": 0.0,
"Timestamp": 1668174706
}
{
"EventType": "MemberAdd"
"Id": "00000000-0000-0000-0000-000000000002",
"NewMemberId": null,
"DisplayName": "Test Inc (example@site.com)",
"PayoutInfo": null,
"PayoutInfos": [],
"PayPalEmailAddress": null,
"WiseEmailAddress": null,
"Status": null,
"ProgramTitle": "Customer Referral Program",
"ProgramName": "myprogram",
"ReferralUrl": "https://example/l/E14D26F4/",
"MemberUrl": "https://example/l/E14D26F4/",
"ReferralQRCodeEmailUrl": null,
"ReferralQRCodeShareWidgetUrl": null,
"EmailShares": 0,
"SocialShares": 0,
"Views": 0,
"Referrals": 0,
"ReferralsPending": 0,
"ReferralsQualified": 0,
"ReferralsApproved": 0,
"ReferralsApprovedAmount": 0,
"RewardsPending": 0,
"RewardsIssued": 0,
"RewardAmountTotal": 0,
"Rewards": 0,
"LastShare": null,
"UpdateDate": "2018-04-04T16:58:06.947Z",
"MemberViews": 0,
"LastMemberView": null,
"LastReferralView": null,
"Source": null,
"BlockSendingEmail": false,
"BlockReason": "",
"PrivateCode": "E14D26F4",
"LastViewIPAddress": "",
"AllowExcessPaymentsFlag": false,
"WebConversionCount": null,
"FirstMemberShareDate": null,
"FirstMemberViewDate": null,
"FirstReferralViewDate": null,
"FirstReferralAddDate": null,
"FirstMemberRewardAddDate": null,
"LastReferralAddDate": null,
"LastMemberRewardAddDate": null,
"ActivatedDate": "2018-04-04T16:58:06.947Z",
"LastActiveDate": null,
"Timestamp": 1668174706,
"CreatedDate": "2018-04-04T16:58:06.947Z",
"DisableReason": "",
"ExternalId": "",
"ProgramId": "00000000-0000-0000-0000-000000000000",
"ReferralCode": "E14D26F4",
"FullName": "Test Inc",
"FirstName": "firstName",
"LastName": "lastName",
"Email": "example@site.com",
"CustomReferralOverrideUrl": "",
"CustomText1Name": "",
"CustomOption1Name": "",
"CustomText1Value": "",
"CustomOption1Value": "",
"CustomText2Name": "",
"CustomText2Value": "",
"DisabledFlag": false,
"Password": "",
"Phone": "",
"AddressLine1": "",
"AddressLine2": "",
"City": "",
"StateProvince": "",
"Country": "",
"ZipPostalCode": "",
"BirthDate": null,
"UtmSource": "",
"UtmMedium": "",
"UtmCampaign": "",
"BrowserReferrerUrl": ""
}
{
"EventType": "ReferralAdd"
"Id": "00000000-0000-0000-0000-000000000002",
"DisplayName" : "Jane Doe (Jane@example.com)",
"FullName": "Jane Doe",
"FirstName": "Jane",
"LastName": "Doe",
"CompanyName": "Taco Inc.",
"Email": "Jane@example.com",
"ExternalId": "00000000-0000-0000-0000-000000000000",
"PhoneNumber": "888-555-1212",
"Amount": 0,
"PreferredContact": "Email Me",
"CreatedDate": "2016-04-10T18:46:21.3597347Z",
"ProgramId": "00000000-0000-0000-0000-000000000000",
"ProgramName": "New Referrals Program",
"ProgramTitle": "New Referrals Program",
"MemberId": "00000000-0000-0000-0000-0000000000001",
"MemberName": "Jon Doe",
"MemberEmail": "Jon@example.com",
"MemberReferralCode": "ABC12345",
"MemberExternalId": "123456789",
"ApprovedDate": "2016-04-10T18:46:21.3597347Z",
"QualifiedDate": "2016-04-10T18:46:21.3597347Z",
"Status": "Pending",
"Source": "AdminUI",
"UpdateDate": "2016-04-10T18:46:21.3597347Z",
"Note": "Note",
"PublicNote": "Public Note",
"AmountFormatted": "$0.00",
"CustomOption1Name": "",
"CustomOption2Name": "",
"CustomText1Name": "",
"CustomText2Name": "",
"CustomText3Name": "",
"CustomOption1Value": "",
"CustomOption2Value": "",
"CustomText1Value": "",
"CustomText2Value": "",
"CustomText3Value": "",
"ConversionNote": "",
"ConversionIPAddress": "",
"Timestamp": 1668174706
}
{
"EventType": "RewardAdd"
"Id": "00000000-0000-0000-0000-000000000000",
"PayoutId": "00000000-0000-0000-0000-000000000000",
"PayoutDescription": null,
"ProgramId": "00000000-0000-0000-0000-000000000000",
"ProgramName": null,
"MemberId": null,
"ReferralId": null,
"Type": null,
"RecipientId": null,
"RecipientName": null,
"RecipientEmailAddress": null,
"Status": null,
"Amount": 0.0,
"CreateDate": "0001-01-01T00:00:00",
"IssueDate": null,
"EligibilityDate": "0001-01-01T00:00:00",
"Description": null,
"TransactionID": "00000000-0000-0000-0000-000000000000",
"UpdateDate": "0001-01-01T00:00:00",
"ReferralDisplayName": null,
"Timestamp": 1668174706,
"Payments": [
{
"Id": "pay_001",
"Status": "sent",
"CreateDate": "2025-04-02T10:15:00Z",
"LastPaymentUpdate": "2025-04-02T14:45:00Z",
"IssuedNote": "Initial issuance",
"TransactionDestination": "john.doe@example.com",
"RollbackDate": null,
"RollbackNote": null,
"ExternalID": "ext_001234",
"VendorErrorStatus": null,
"VendorErrorMessage": null
},
{
"Id": "pay_002",
"Status": "failed",
"CreateDate": "2025-04-03T09:00:00Z",
"LastPaymentUpdate": "2025-04-03T10:30:00Z",
"IssuedNote": "Retry after failure",
"TransactionDestination": "john.doe@example.com",
"RollbackDate": "2025-04-03T11:00:00Z",
"RollbackNote": "Payment failed due to invalid account",
"ExternalID": "ext_001235",
"VendorErrorStatus": "invalid_destination",
"VendorErrorMessage": "Email address is not registered with the vendor"
}
]
}
{
"Message": "Email added to unsubcribed list for all email types",
"Email": "test123@google.com",
"eventName": "EmailUnsubscribed",
"Timestamp": 1668174706
}
Referral Rock will sign the webhook events it sends to your endpoints by including a signature in each event’s RR-Signature header. This allows you to verify that the events were sent by Referral Rock, not by a third party. You can verify signatures by using one of the following examples.
using System;
using System.Security.Cryptography;
using System.Text;
// Key that will be used to encrypt JSON body data and event type.
// Make sure the key used is the same key for the event type that is being handled.
string key = "Your Generated Key";
/*
Example JSON data that will be received
{payload}: needs to be replaced by the request payload received .
Example: {
"EventType": "ProgramAdd"
"Id": "00000000-0000-0000-0000-000000000000",
"IsActive": true,
"IsDefault": true,
"Name": "New Referrals Program",
"Type": "Web",
"Title": "New Referrals Program",
"MemberOffer": "Gift Card",
"ReferralOffer": "Another Gift Card",
"DirectUrl": "http://www.example.com",
"WidgetUrl": "http://widget.example.com",
"LoginUrl": "http://login.example.com",
"RegistrationViews": 0,
"MembersRegistered": 0,
"MemberViews": 0,
"ReferralViews": 0,
"ReferralsCreated": 0,
"ReferralsApproved": 0,
"MembersActive": 0,
"MembersDisabled": 0,
"ReferralsPending": 0,
"ReferralsQualified": 0,
"ReferralsDenied": 0,
"ReferralsApprovedAmount": 0.0,
"RewardsCreated": 0,
"RewardsPending": 0,
"RewardsIssued": 0,
"RewardsIssuedAmount": 0.0,
"TimesStamp": 1668174706
}
{webhook_event}: webhook event (see the event list above)
*/
// Use body raw data
var payload = "< Your body raw data >";
// Concatenate payload JSON body raw data with webhook event to match
// the content that was used before encrypting the signature.
string content = "{payload}.{webhook_event}";
// Encrypt content using the SHA12 algorithm and convert it to a base 64 string.
byte[] keyByte = new ASCIIEncoding().GetBytes(key);
byte[] messageBytes = new ASCIIEncoding().GetBytes(content);
byte[] hashmessage = new HMACSHA512(keyByte).ComputeHash(messageBytes);
string base64Hashed = Convert.ToBase64String(hashmessage);
// Compare the encrypted data against the RR-Signature header.
// You can consider a valid request if the base64Hashed is equal to Request.Headers.GetValues("RR-Signature").First().
if(base64Hashed == Request.Headers.GetValues("RR-Signature").First())
{
//signature valid
}
Node Sample using express:
// libray responsible for encrypt body data + event type
var crypto = require('crypto');
// Example of how the express library handles the request.
app.post('/', (req, res) => {
// Key that will be used to encrypt JSON body data and event type.
// Make sure the key used is the same key for the event type that is being handled.
var key = 'Your generated key';
/*
Example JSON data that will be received
{payload}: needs to be replaced by the request payload received.
Example: {
"EventType": "ProgramAdd"
"Id": "00000000-0000-0000-0000-000000000000",
"IsActive": true,
"IsDefault": true,
"Name": "New Referrals Program",
"Type": "Web",
"Title": "New Referrals Program",
"MemberOffer": "Gift Card",
"ReferralOffer": "Another Gift Card",
"DirectUrl": "http://www.example.com",
"WidgetUrl": "http://widget.example.com",
"LoginUrl": "http://login.example.com",
"RegistrationViews": 0,
"MembersRegistered": 0,
"MemberViews": 0,
"ReferralViews": 0,
"ReferralsCreated": 0,
"ReferralsApproved": 0,
"MembersActive": 0,
"MembersDisabled": 0,
"ReferralsPending": 0,
"ReferralsQualified": 0,
"ReferralsDenied": 0,
"ReferralsApprovedAmount": 0.0,
"RewardsCreated": 0,
"RewardsPending": 0,
"RewardsIssued": 0,
"RewardsIssuedAmount": 0.0,
"Timestamp": 1668174706
}
{webhook_event}: webhook event (see the event list above)
*/
// Get the JSON body raw data
var payload = request.body;
// Concatenate payload JSON body raw data with webhook event to match
// the content that was used before encrypting the signature.
var content = `${payload}.${webhook_event}`;
// Encrypt content using the SHA12 algorithm and convert it to a base 64 string.
var hmacSignature = crypto.createHmac('SHA512', Buffer.from(key, 'ASCII')).update(content).digest('base64');
// Compare the encrypted data against the RR-Signature header.
// You can consider a valid request if the hmaxSignature is equal to req.headers['RR-Signature'].
if(hmacSignature === req.headers['RR-Signature']){
//valid signature
}
})
JavaScript Sample
//Library used to encrypt body data & event type
var crypto = require("crypto");
//Replace key value here with your Webhook Key
var key = "rr_qXnAimw1krN8N1x8NFwA";
//Replace webhook event with matching webhook event
var webhook_event = "MemberUpdate";
//The value below should be taken from the 'RR-Signature' header in the request
var rr_signature =
"by+GqrfUnYywprmKYGkriH16DeAuKgN5o0xBqQ8nxTWzFLMRatWiPM/dsma1Ae0UkIkzn6XciVDCNCEAxQe4cg==";
//The value below should be the raw data from the JSON body
var payload =
'{"EventType": "MemberAdd",' +
''"Id":"3dc6d74c-22ba-474e-88be-2aefe51eece1",' +
'"NewMemberId":null,' +
'"DisplayName":"Example Member (test@example.com)",' +
'"PayoutInfo":null,' +
'"PayoutInfos":null,' +
'"ProgramTitle":"My Referrals",' +
'"ProgramName":"Referral Program",' +
'"ReferralUrl":"https://example.referralrock.com/l/EXAMPLE1/",' +
'"MemberUrl":"https://example.referralrock.com/share/EXAMPLE2/",' +
'"EmailShares":0,' +
'"SocialShares":0,' +
'"Views":0,' +
'"Referrals":0,' +
'"ReferralsPending":0,' +
'"ReferralsQualified":0,' +
'"ReferralsApproved":0,' +
'"ReferralsApprovedAmount":0.0000,' +
'"RewardsPending":0.0000,' +
'"RewardsIssued":0.0000,' +
'"RewardAmountTotal":0.0000,' +
'"Rewards":0,' +
'"LastShare":null,' +
'"CreatedDate":"2024-03-20T15:31:30.233Z",' +
'"UpdateDate":"2024-03-20T15:35:17.093Z",' +
'"MemberViews":0,' +
'"LastMemberView":null,' +
'"LastReferralView":null,' +
'"Source":"AdminUI",' +
'"BlockSendingEmail":false,' +
'"BlockReason":"",' +
'"PrivateCode":"EXAMPLE2",' +
'"LastViewIPAddress":"",' +
'"AllowExcessPaymentsFlag":false,' +
'"WebConversionCount":null,' +
'"Timestamp":1710948918,' +
'"ExternalId":"",' +
'"ProgramId":"01e64205-5290-4b98-b21e-360a10c8672d",' +
'"ReferralCode":"EXAMPLE1",' +
'"FullName":"Example Member",' +
'"FirstName":"Example",' +
'"LastName":"Member",' +
'"Email":"test@example.com",' +
'"CustomReferralOverrideUrl":"",' +
'"CustomText1Name":"",' +
'"CustomOption1Name":"",' +
'"CustomText1Value":"",' +
'"CustomOption1Value":"",' +
'"CustomText2Name":"",' +
'"CustomText2Value":"",' +
'"DisabledFlag":false,' +
'"Password":"",' +
'"Phone":"",' +
'"AddressLine1":"",' +
'"AddressLine2":"",' +
'"City":"",' +
'"StateProvince":"",' +
'"Country":"",' +
'"ZipPostalCode":"",' +
'"BirthDate":null,' +
'"UtmSource":"",' +
'"UtmMedium":"",' +
'"UtmCampaign":"",' +
'"BrowserReferrerUrl":""}';
//Concatenate the payload JSON body raw data with webhook event to match
//the content that was used before encrypting the signature
var content = `${payload}.${webhook_event}`;
//Encrpyt content using the SHA12 algorithm and convert it to a base 64 string
var hmacSignature = crypto
.createHmac("SHA512", Buffer.from(key, "ASCII"))
.update(content)
.digest("base64");
if (hmacSignature === rr_signature) {
//signature is valid
console.log("Valid");
}
else {
//signature is invalid
console.log("Invalid");
}
Python Sample
# === Imports ===
# hmac: Used to generate the HMAC for signature verification.
# hashlib: Provides access to secure hash functions like SHA-512 used in the HMAC process.
# base64: Encodes the binary HMAC digest into a base64 string to match the format of the received signature.
# http.server:
# - BaseHTTPRequestHandler: Allows you to define how to handle incoming HTTP requests (e.g., POST).
import hmac
import hashlib
import base64
from http.server import BaseHTTPRequestHandler
# Replace key value here with your Webhook Key
SECRET_KEY = "rr_qXnAimw1krN8N1x8NFwA"
# Replace webhook event with matching webhook event, e.g. RewardIssue, ReferralAdd, etc.
WEBHOOK_EVENT = "MemberUpdate"
class WebhookHandler(BaseHTTPRequestHandler):
def do_POST(self):
# Read the raw request body
content_length = int(self.headers.get('Content-Length', 0))
raw_body = self.rfile.read(content_length).decode("utf-8")
# The value below should be taken from the 'RR-Signature' header in the request
received_signature = self.headers.get("RR-Signature")
# Concatenate the payload JSON body raw data with webhook event to match the content
# that was used before encrypting the signature
content = f"{raw_body}.{WEBHOOK_EVENT}"
# Generate HMAC SHA512 signature
hmac_obj = hmac.new(
key=SECRET_KEY.encode("ascii"),
msg=content.encode("ascii"),
digestmod=hashlib.sha512,
)
# Convert signature to base64
generated_signature = base64.b64encode(hmac_obj.digest()).decode("utf-8")
# Compare signatures
if generated_signature == received_signature:
print("Valid Signature", flush=True)
self.send_response(200)
self.end_headers()
self.wfile.write(b"OK")
else:
print("Invalid Signature", flush=True)
self.send_response(401)
self.end_headers()
self.wfile.write(b"Unauthorized")