IAMGameWallet · DocsDeveloper portal →

Webhooks

Register an endpoint in the portal to receive events when things happen in your app. Every delivery is signed so you can verify it came from us. Deliveries are retried with backoff until your endpoint returns 2xx.

Events

user.created — a new player signed in for the first time.
wallet.created — a wallet was provisioned for a user.
wallet.exported — a user exported a wallet to self-custody.

Payload

json
{
  "type": "wallet.created",
  "data": { "id": "…", "userId": "…", "address": "…", "custody": "self", "status": "active" }
}

Verifying the signature

Each request carries an HMAC-SHA256 of the raw body, keyed by your webhook signing secret (shown once when you create the subscription). Compute it over the exact bytes received and compare in constant time.

TS
import crypto from "crypto";

function verify(rawBody: string, signatureHeader: string, secret: string): boolean {
  const expected = crypto.createHmac("sha256", secret).update(rawBody).digest("hex");
  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signatureHeader));
}

Use the raw request body for the HMAC — re-serializing the JSON will change the bytes and break verification.