FUGA distribution platform webhook
Receives product delivery and status update events from the FUGA distribution platform.
Description
This endpoint is called by FUGA, not by API users — configure it as the webhook URL in your FUGA account ashttps://api.royalti.io/webhook/fuga/{your-tenant-id}.
Authentication: Requires x-fuga-signature header containing SHA3-256 hash (not HMAC).
Important: FUGA uses simple hash (SHA3-256) of payload + salt, NOT HMAC.
Security Features:
- SHA3-256 signature verification with tenant-specific salt
- Timestamp validation (rejects webhooks older than 5 minutes)
- Duplicate message prevention using webhook ID + Redis caching (24-hour TTL)
- Replay attack protection
- Verifies SHA3-256 signature using tenant-specific salt
- Validates webhook timestamp (must be within 5 minutes)
- Checks for duplicate webhook ID in Redis cache
- Finds DDEX delivery record by FUGA reference (or by product UPC for delivery events)
- Updates delivery status based on event type
- Updates product metadata with FUGA status
- Sends provider-agnostic notifications for status changes
product_state- Product acceptance/rejection/processing status (also handles the legacyproduct.accepted,product.rejected,product.processing,product.delivered,product.failedvalues)product_change- Metadata updates in FUGA (informational only, no action taken)delivery_completed- Product delivered to a DSPdelivery_cancelled- Delivery cancelled by FUGAdelivery_rejected- Delivery rejected by a DSPxml_ingestion- Metadata/XML ingestion resultdelivery.status/delivery.acknowledgment- Legacy acknowledgment events, queued for async processing
type values are acknowledged with 200 and logged, not rejected.
Code Examples
Headers
Unique webhook ID used for duplicate-delivery detection (not required, but recommended)
Path Parameters
Tenant ID for webhook routing
Body
FUGA event type. product_state, product_change, delivery_completed,
delivery_cancelled, delivery_rejected, and xml_ingestion are the current
event types; the product.* and delivery.* dotted values are legacy types
kept for backward compatibility.
product_state, product_change, delivery_completed, delivery_cancelled, delivery_rejected, xml_ingestion, product.accepted, product.rejected, product.processing, product.delivered, product.failed, delivery.status, delivery.acknowledgment "product_state"
Event timestamp (ISO 8601). Webhooks older than 5 minutes are rejected.
"2024-11-13T14:32:00Z"
FUGA organization ID
12345
Event-specific data payload
SHA3-256 signature (not used — the signature is sent in the x-fuga-signature header, not the body)
Response
Webhook processed. FUGA webhooks always return 200 (even for internal processing
errors and unmatched deliveries) so the platform does not retry — check status
in the response body to distinguish outcomes.