Step 2 · Webhooks
We notify you of every deposit and withdrawal by sending a webhook — an HTTP POST to two endpoints you host. Your platform receives the notification, validates the signature, records the transaction, and replies with one of the documented responses below.
Each request carries an Authorization: Bearer <signature> header. Always validate the signature before trusting the payload.
The two endpoints
You host these two endpoints on your own domain. Both are POST with Content-Type: application/json and the Authorization: Bearer <signature> header.
| Notification | Method | Path |
|---|---|---|
| Deposits | POST | {affiliate_base_url}/notifications/apuesteria/deposits/ |
| Withdrawals | POST | {affiliate_base_url}/notifications/apuesteria/withdrawals/ |
{affiliate_base_url} is the base URL you provide for your integration.
Deposit notification
This is the request body we send to your deposits endpoint:
{
"status": "success",
"code": "0000",
"point_of_sale": {
"id": 124,
"name": "Sucursal de Pruebas",
"currency_code": "MXN"
},
"deposit": {
"username": "5555555555",
"description": "Deposito en Cuenta - 4345FF2XB7F323CD",
"transaction_number": "4345FF2XB7F323CD",
"amount": 100.00,
"currency_code": "MXN"
},
"created_at": "2019-05-18 13:18:37"
}
Withdrawal notification
This is the request body we send to your withdrawals endpoint:
{
"status": "success",
"code": "0000",
"point_of_sale": {
"id": 123,
"name": "Sucursal de Pruebas",
"currency_code": "MXN"
},
"withdrawal": {
"username": "5555555555",
"description": "Retiro de Cuenta - 4345FF2XB7F3123D",
"transaction_number": "4345FF2XB7F3123D",
"amount": 200.00,
"currency_code": "MXN"
},
"created_at": "2019-05-18 13:18:37"
}
Field reference
Both notifications share the same shape. The only difference is the transaction object, which is named deposit in a deposit notification and withdrawal in a withdrawal notification; its inner fields are identical.
| Field | Type | Description |
|---|---|---|
status | string | Outcome of the transaction on our side (e.g. success). |
code | string | Result code for the transaction (e.g. 0000). |
point_of_sale.id | integer | Identifier of the point of sale the transaction belongs to. |
point_of_sale.name | string | Human-readable name of the point of sale. |
point_of_sale.currency_code | string | Currency of the point of sale (ISO 4217, e.g. MXN). |
deposit / withdrawal.username | string | The end user's username for the transaction. |
deposit / withdrawal.description | string | Human-readable description of the transaction. |
deposit / withdrawal.transaction_number | string | Unique identifier of the transaction. Use it as your idempotency key. |
deposit / withdrawal.amount | number | Transaction amount. |
deposit / withdrawal.currency_code | string | Currency of the transaction (ISO 4217, e.g. MXN). |
created_at | string | Timestamp of the transaction (YYYY-MM-DD HH:MM:SS). |
transaction_number uniquely identifies the transaction. Use it as your idempotency key so that receiving the same notification more than once is handled safely — look the transaction up by transaction_number and, if you have already recorded it, return your success response without applying it again.
Expected response
Your endpoint must reply with one of the responses below. On success, return 201 Created with the transaction_number you received:
{
"status": "success",
"transaction_number": "4345FF2XB7F323CD",
"message": null
}
If you cannot accept the notification, return the matching error response:
| Status | Body |
|---|---|
400 Bad Request | {"status":"error","transaction_number":null,"message":"JSON data is empty"} |
404 Not Found | {"status":"error","transaction_number":"4345FF2XB7F323CD","message":"Point of sale ID is not found"} |
500 Internal Server Error | {"status":"error","transaction_number":"4345FF2XB7F323CD","message":"Internal Server Error"} |
Validate the signature first
Every notification carries an Authorization: Bearer <signature> header, and your endpoint must validate it before trusting the payload. The JSON on this page is formatted for readability; the signature is computed over the exact raw bytes as transmitted, so validate against the raw request body, not a re-serialized version. See Signature for the formula, a worked example, and validation code.