What is webhook?
A webhook allows third-party services to send real-time updates to your app. Updates are triggered by some event or action by the webhook provider and pushed to your app via HTTP requests. When you receive the request, you handle it with some custom logic, like sending an email or storing the data in a database.
Buy Me a Coffee utilizes webhooks to inform your application of events occurring within your account. This enables creators to automate certain actions based on events, for e.g; when someone buys them a coffee or when someone subscribes to their membership.
Create a webhook
Go to Integrations in your creator dashboard.
Click New webhook.
Enter a Webhook name to help identify it later.
Enter your Endpoint URL.
Under Add events, select the events you want to receive.
Click Save.
Enable or disable a webhook
The webhook can be enabled or disabled at any time using the Delivery status toggle on the webhook details page.
Note: If more than 10 consecutive deliveries fail, the webhook is automatically disabled and an email notification is sent to you.
Signing secret
Each webhook has a unique Signing Secret used to verify that incoming webhook requests were sent by Buy Me a Coffee.
You can find the signing secret on the webhook details page.
Important: Rolling the signing secret immediately invalidates the previous secret. Update your application before generating a new one.
Verify webhook signatures
Every webhook request includes the following header:
x-signature-sha256
To verify the request:
Read the raw request body exactly as received.
Generate an
HMAC-SHA256hash using:the raw request body as the message
your signing secret as the key
Compare the generated hash with the value in the
x-signature-sha256header.If both values match, the request is authentic.
Example (Node.js)
const crypto = require('crypto');
function verifySignature(rawBody, secret, signature) {
const expected = crypto
.createHmac('sha256', secret)
.update(rawBody)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature)
);
}
Send a test event
Open the webhook details page.
Click Send test event.
Select an event type.
Review the request preview.
Click Send test.
Edit a webhook
Open the three-dot menu on the webhook details page and click Edit.
You can update:
Webhook name
Endpoint URL
Subscribed events
Delete a webhook
Open the three-dot menu and click Delete.
Warning: Deleting a webhook is permanent and cannot be undone.
Event deliveries
The Event deliveries section displays every delivery attempt for the webhook.
Click any delivery to view:
Retry behavior
Failed webhook deliveries are retried automatically up to 4 additional times using exponential delays:
Supported event types
Event | Trigger |
| A supporter makes a one-time donation |
| A one-time donation is refunded |
| A shop item is purchased |
| A shop order is updated |
| A shop order is refunded |
| A commission order is placed |
| A commission order is refunded |
| A wishlist item receives funding |
| A wishlist payment is refunded |
| A membership subscription begins |
| A membership subscription is updated |
| A membership subscription is cancelled |
| A membership subscription is paused |
| A monthly support begins |
| A monthly support is updated |
| A monthly support is cancelled |
Webhook payload structure
Every webhook event follows the same outer structure.
{
"event_id": 1234,
"type": "donation.created",
"live_mode": true,
"created": 1719825600,
"attempt": 1,
"data": {}
}Field | Description |
| Unique identifier for the delivery |
| Event type |
|
|
| Unix timestamp when the event was created |
| Current delivery attempt number |
| Event-specific payload |
For complete payload definitions for every event, download the OpenAPI specification.
OpenAPI specification
A complete OpenAPI 3.1 specification describing all webhook event payloads is available as a JSON file:
Download bmc-webhooks-openapi.json
This file covers:
All 16 event types and their full payload schemas
The shared event envelope structure
Signature verification details
Retry behavior and test event flags





