Receiving and understanding messages


Sample header

Accept: application/json
To ensure that events are indeed coming from Purchasely Cloud Platform, you can authentify event using informations contained in the HEADER of the HTTP request :
  • X-PURCHASELY-SIGNATURE : message signature
  • X-PURCHASELY-TIMESTAMP : request timestamp to avoid replay attacks
This verification is optional.
Depending on your framework, you may receive the headers under another format:
  • NestJS: x-purchasely-signature
The signature relies on a shared secret that you can find in your Purchasely Console (Client shared secret) Purchasely Console > Settings > Webhooks
Sample codes for signature verification:
const crypto = require("crypto");
// Request headers
// ---------------
const xPurchaselyTimestamp = "1580909929";
const xPurchaselySignature = "ea909b88098b63ef93711cd14542403e5efe1a23c07d94a764bd4db55abba5a6";
// Signature verification
// ----------------------
const webhookSharedSecret = "foobar";
const dataToSign = webhookSharedSecret + xPurchaselyTimestamp;
const computedSignature = crypto
.createHmac("sha256", webhookSharedSecret)
if (computedSignature === xPurchaselySignature) {
// request authenticated
require 'openssl'
# Request headers
# ---------------
x_purchasely_timestamp = '1580909929'
x_purchasely_signature = 'ea909b88098b63ef93711cd14542403e5efe1a23c07d94a764bd4db55abba5a6'
# Signature verification
# ----------------------
webhook_shared_secret = 'foobar'
data_to_sign = webhook_shared_secret + x_purchasely_timestamp
computed_signature = OpenSSL::HMAC.hexdigest('sha256', webhook_shared_secret, data_to_sign)
if (computed_signature == x_purchasely_signature) {
# request authenticated
// Imports
// -------
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
// Request headers
// ---------------
val xPurchaselyTimestamp = "1580909929";
val xPurchaselySignature = "ea909b88098b63ef93711cd14542403e5efe1a23c07d94a764bd4db55abba5a6";
// Signature verification
// ----------------------
val webhookSharedSecret = "foobar"
val dataToSign = webhookSharedSecret + xPurchaselyTimestamp
val hmac = Mac.getInstance("HmacSHA256")
hmac.init(SecretKeySpec(webhookSharedSecret.toByteArray(), "HmacSHA256"))
val computedSignature = hmac.doFinal(dataToSign.toByteArray()).joinToString("") { "%02x".format(it) }
if (computedSignature == xPurchaselySignature) {
// request authenticated


Sample body

"api_version": 3,
"effective_next_renewal_at": "2022-01-12T22:52:28.062Z",
"effective_next_renewal_at_ms": 1642027948062,
"environment": "SANDBOX",
"event_created_at": "2022-01-05T22:52:27.014Z",
"event_created_at_ms": 1641423147014,
"event_name": "YOU_MUST_BE_READY_TO_ACCEPT_ANY_EVENT_TYPE_1641423147",
"is_family_shared": false,
"next_renewal_at": "2022-01-12T22:52:28.062Z",
"next_renewal_at_ms": 1642027948062,
"offer_type": "NONE",
"original_purchased_at": "2022-01-05T22:52:22.014Z",
"original_purchased_at_ms": 1641423142014,
"plan": "purchasely_plan_id",
"previous_offer_type": "NONE",
"product": "purchasely_product_id",
"purchased_at": "2022-01-05T22:52:22.014Z",
"purchased_at_ms": 1641423142014,
"purchasely_subscription_id": "subs_xxxxxxxxxxxxxxx",
"store_app_bundle_id": "com.purchasely.app",
"store_country": "fr",
"store_original_transaction_id": "store_original_transaction_id",
"store_product_id": "plan_id_in_the_store",
"store_transaction_id": "store_original_transaction_id",
"subscription_status": "AUTO_RENEWING",
"user_id": "your_internal_user_id"
More information on these properties can be found here:
Never use the next_renewal_at / effective_next_renewal_at to invalidate a subscription (and always use the webhook sent to you for this sole purpose). This date is only here to help your marketing team take actions (or if you want to display the next renewal date in your app).
If you ever needed a fail safe to unsubscribe users in case an issue occurs with Apple/Google/Huawei/Purchasely/your servers, you should let at least a 24h-margin with the given next_renewal_at / effective_next_renewal_at.


When called by Purchasely Cloud Platform, client backend should respond with a HTTP code :
  • HTTP 200 ⇒ the Event has been well received and processed (eg: the subscription has been activated/deactivated)
  • Other than HTTP 200 or no response (timeout) ⇒ an error has occurred and the Event could not be processed :
    • The user is warned through the SDK that something did not work
    • Purchasely Cloud Platform will retry several times to send the Event (max 25 times) in the following hours.
This response from the client backend to the Purchasely Console is mandatory, particularly for purchase events (e.g. new subscriptions) coming from the SDK, to ensure that the client backend has granted the user with the entitlements corresponding to the new purchase, and unlocked the access to the premium contents or features.
This response from the client backend is forwarded to the mobile SDK and an error message is displayed to the user, if it is different from HTTP 200.
Copier le lien
Éditer sur GitHub
Sample header
Authenticating request and verifying signature (recommended)