Check-in Webhook

Webhooks

Wellhub webhooks act as notifiers based on specific events that are triggered by end-user interactions.

This notification is an HTTP POST request sent to the registered URL you provide Wellhub.

This document describes both the Check-in Event along with the data payload we send and the API resources available for these webhooks.

General Information

Data Format

Every API resource and push event uses JSON as its standard data format.

Security

When Wellhub sends an event notification to a registered webhook, we include a signature header so you know the request was sent from our servers. The header name is X-Gympass-Signature. We strongly recommend that you verify this signature when you receive a request at your webhook endpoint. This allows you to verify that the events were sent by Wellhub, not by a third party.

Before you can verify signatures, you need to retrieve your secret key from Wellhub Tech Sales.

  • Wellhub generates the signature by encoding the HTTP request body using your secret key.
  • The encryption is done by HMAC-SHA-1 algorithm, and the body of the request will need to be stringified.
  • Compare the signature string with the Wellhub header value. If they match, the message came from Wellhub servers.
  • The signature string will always be Upper.

Below you will find a number of templates you can use to generate the hash script.

JavaScript || Java || C# || GO || PHP || Python

Retry

The response time is 1s. After that, if we have no response, we retry 3 times immediately after the missed response.

Check-in Webhook

The Check-in event is a notification emitted once a Wellhub User makes a physical check-in to a Gym Partner via the Wellhub App.

The example below details the data contained in the payload we will send to your endpoint

POST - check-in

https://your-webhook-url-here.com

The check-in event triggers a POST request to your registered URL. Below you will find the description for the data payload that is sent on every request.

Request example
1curl --location --request POST 'https://your-webhook-url-here.com' \
2--header 'Content-Type: application/json' \
3--header 'X-Gympass-Signature: 0XFBDB1D1B18AA6C08324B7D64B71FB76370690E1D' \
4--data-raw  ' {
5         "event_type": "checkin",
6         "event_data": {
7             "user": {
8                 "unique_token": "0123456789012",
9                 "first_name": "Firstname",
10                 "last_name": "Lastname",
11                 "email": "user@email.com",
12                 "phone_number": "447889123456"
13                },
14                 "location": {
15                     "lat": 51.4937541,
16                     "lon": 0.0633661
17                     },
18                "gym": {
19                    "id": 123456,
20                    "title":" Name of the Gym",
21                    "product": {
22                        "id":  1,
23                        "description":"Description of product"
24                             }
25                        },
26                "timestamp": 1666629613
27                }
28        } '
NameTypeDescription
event_typeStringA description of the event that was triggered. For the check-in event
event_dataObjectContains the data sent by the event.
event_data.userObjectContains all the data for the user who has triggered the check-in
event_data.user.unique_tokenStringThe Wellhub ID for the user
event_data.user.first_nameStringFirst name of the user
event_data.user.last_nameStringLast name of the user
event_data.user.emailStringEmail address of the user
event_data.user.phone-numberStringPhone number of the user
event_data.coordinatesObjectContains the lat and long information for the gym where the check-in is being made.
event_data.coordinates.latDoubleLatitude for the gym where the check-in has taken place.
event_data.coordinates.lonDoubleLongitude for the gym where the check-in has taken place.
event_data.gym.idIntThe gym ID for which the check-in refers.
event_data.gym.titleStringThe gym name for which the check-in refers.
event_data.productObjectProduct details for which the check-in refers
event_data.product.descriptionStringProduct description
event_data.product.idIntProduct code number
pass_type_number.timestampLongTimestamp for the creation date of the event

Headers

FieldDescription
Content-Typeapplication/json
X-Gympass-Signature0XFBDB1D1B18AA6C08324B7D64B71FB76370690E1D

Please note that the X-Gympass-Signature listed above is for display purposes only. please refer to the security section above regarding the X-Gympass-Signature.

Response example

Response
1{
2    "event_type": "checkin",
3    "event_data": {
4        "user": {
5            "unique_token": "0123456789012"
6        },
7         "location": {
8                     "lat": 51.4937541,
9                     "lon": 0.06336616 
10        },
11        "gym": {
12            "id": 123456,
13            "title": " Name of the Gym",
14            "product": {
15                "description": "Test description",
16                "id": 1
17            }
18        },
19        "timestamp": 1560983373378
20    }
21}

Check-in Event Use Case

As Wellhub subscribers' check-ins are asynchronous, and we don't know when they are likely to occur, we need a way to notify our partners that a legitimate Wellhub subscriber has legitimate access to your facility.

By receiving the check-in event webhook, we can synchronize our data with our partners to confirm that the subscriber is a legitimate Wellhub member, has access to our partner's facility, and has commenced a valid check-in.

Profile Automation

The payload of the Check-in event contains information that is unique to that Wellhub subscriber.

Inside the "user" object of the check-in payload, you will see the key "unique_token". This is the Wellhub subscriber UUID also known as a Wellhub ID. This can be used to automate the process of building a Wellhub subscriber profile upon their first visit.

See below for an example of this process

Enlarge Image

Check-in Webhook Example (1).png

The user creation workflow above details the creation process of a new Wellhub user on their first visit to the partner facility. The automation of a new user profile is a one-time process occurrence. When the Wellhub user makes a subsequent visit to this facility we will automatically know that the subscriber is already in the facility's CRM database.

Email and Name can also be included in the webhook payload, please speak with your technical point of contact at Wellhub regarding this.

X-Gympass-Signature Scripts

JavaScript

SHA 1 HASH
1const crypto = require('crypto');
2

3// Your secret key provided by Wellhub
4const secretKey = '*Secret Key*';
5

6// Function to generate the x-gympass-signature
7function generateGympassSignature(requestBody) {
8  const hmac = crypto.createHmac('sha1', secretKey);
9  hmac.update(requestBody);
10  const signature = hmac.digest('hex');
11  return signature.toUpperCase();
12}
13

14// Example usage
15const requestBody = JSON.stringify({ **Webhook event Body Payload** });
16

17const gympassSignature = generateGympassSignature(requestBody);
18

19console.log('Generated x-gympass-signature:', gympassSignature);

Java

SHA1 HASH
1import javax.crypto.Mac;
2import javax.crypto.spec.SecretKeySpec;
3import java.nio.charset.StandardCharsets;
4import java.security.InvalidKeyException;
5import java.security.NoSuchAlgorithmException;
6

7public class GympassSignatureGenerator {
8    public static void main(String[] args) {
9        // Your secret key provided by Gympass
10        String secretKey = "";
11

12        // Example request body
13        String requestBody = "Webhook request body";
14

15        String gympassSignature = generateGympassSignature(requestBody, secretKey);
16

17        System.out.println("Generated x-gympass-signature: " + gympassSignature);
18    }
19

20    public static String generateGympassSignature(String requestBody, String secretKey) {
21        try {
22            Mac hmacSha1 = Mac.getInstance("HmacSHA1");
23            SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA1");
24            hmacSha1.init(keySpec);
25            byte[] hash = hmacSha1.doFinal(requestBody.getBytes(StandardCharsets.UTF_8));
26            StringBuilder hexString = new StringBuilder();
27            for (byte b : hash) {
28                String hex = Integer.toHexString(0xFF & b);
29                if (hex.length() == 1) {
30                    hexString.append('0');
31                }
32                hexString.append(hex);
33            }
34            return hexString.toString().toUpperCase();
35        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
36            e.printStackTrace();
37        }
38        return null;
39    }
40}

C#

SHA 1 HASH
1using System;
2using System.Security.Cryptography;
3using System.Text;
4

5class Program
6{
7    static string GenerateGympassSignature(string requestBody, string secretKey)
8    {
9        using (var hmac = new HMACSHA1(Encoding.UTF8.GetBytes(secretKey)))
10        {
11            byte[] hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(requestBody));
12            return BitConverter.ToString(hash).Replace("-", "").ToUpper();
13        }
14    }
15

16    static void Main()
17    {
18        string secretKey = "*Secret Key*";
19        string requestBody = "{**Webhook event Body Payload** }";
20        
21        string gympassSignature = GenerateGympassSignature(requestBody, secretKey);
22

23        Console.WriteLine("Generated x-gympass-signature: " + gympassSignature);
24    }
25}

Go

SHA 1 HASH
1package main
2

3import (
4    "crypto/hmac"
5    "crypto/sha1"
6    "encoding/hex"
7    "fmt"
8)
9

10func generateGympassSignature(requestBody string, secretKey string) string {
11    hmacSha1 := hmac.New(sha1.New, []byte(secretKey))
12    hmacSha1.Write([]byte(requestBody))
13    signature := hex.EncodeToString(hmacSha1.Sum(nil))
14    return fmt.Sprintf("%s", signature)
15}
16

17func main() {
18    secretKey := "*Secret Key*"
19    requestBody := `{**Webhook event Body Payload** }`
20

21    gympassSignature := generateGympassSignature(requestBody, secretKey)
22

23    fmt.Println("Generated x-gympass-signature:", gympassSignature)
24}

PHP

SHA 1 HASH
1<?php
2

3function generateGympassSignature($requestBody, $secretKey) {
4  $signature = hash_hmac('sha1', $requestBody, $secretKey);
5  return strtoupper($signature);
6}
7

8$secretKey = '*Secret Key*';
9$requestBody = '{**Webhook event Body Payload** }';
10

11$gympassSignature = generateGympassSignature($requestBody, $secretKey);
12

13echo 'Generated x-gympass-signature: ' . $gympassSignature;
14?>

Python

SHA 1 HASH
1import hmac
2import hashlib
3

4def generate_gympass_signature(request_body, secret_key):
5    signature = hmac.new(secret_key.encode('utf-8'), request_body.encode('utf-8'), hashlib.sha1).hexdigest()
6    return signature.upper()
7

8secret_key = '*Secret Key*'
9request_body = '{**Webhook event Body Payload** }'
10

11gympass_signature = generate_gympass_signature(request_body, secret_key)
12

13print('Generated x-gympass-signature:', gympass_signature)