WMG POSTAL API DOCS

Appearance

Webhook Status

Subscribe Status Response

http
POST [Your callback webhook url]
Content-Type:application/json

x-wmg-hmac-sha256: {generated_signature}
x-wmg-timestamp: 1753753069 // callback timestamp(10-digit, second) type = String

NOTE

x-wmg-timestamp (callback timestamp(10-digit, second) type = String)

Please refer to the following diagram for the location of the callback webhook url and webhook secret key

json5
{
    "tracking_num":"EG863814",    // wmg tracking num
    "custom_tracking_num":"CEG863814",    // custom tracking num
    "status":"LP_LP",     // status
    "remark":"",  // remark
    "status_time":1753406381,  // status timestamp
    "files": []  // imgs url, eg ["http://xxxxxxxx.png", "http://xxxxx.jpg"]
}

NOTE

After receiving the subscription status and processing it correctly, a response of { success: true } needs to be returned. Otherwise, the system will send it again

json
{
 "success": true
}

Subscribe Status Request

json
{
  "success": true
}

API Subscribe Status Callback Signature

1. Signature Generation (for subscriber verification)

a. Data Preprocessing

  • Sort all post parameters and Http header parameters(start with 'x-wmg', exclude 'x-wmg-hmac-sha256') ascending by key (ASCII order)
  • Convert to standard JSON string (without Unicode escaping) Example data structure:
json5
{
  "tracking_num":"EG863814",
  "custom_tracking_num":"CEG863814",
  "status":"LP_LP",
  "remark":"",
  "status_time":1753406381,
  "files": []
}

b. Signature Calculation Use HMAC-SHA256 algorithm:

Signature = Base64( HMAC-SHA256( Secret Key, JSON String ) )
  • Secret Key: Pre-shared symmetric key
  • Output in raw binary format and then Base64 Encode

c. Signature Delivery Include in HTTP Header:

x-wmg-hmac-sha256: {generated_signature}
x-wmg-timestamp: 1753753069 // callback timestamp(10-digit, second) type = String

Detail Example:

php
<?php
function build_signature($secret, array $data, $headers = [], $algo = 'sha256', $is_binary = true)
{
    $header_data = [];
    foreach ($headers as $k => $v) {
        // include start with 'x-wmg'
        if (str_starts_with($k, 'x-wmg')) {
            // exclude 'x-wmg-hmac-sha256'
            if ($k === 'x-wmg-hmac-sha256') {
                continue;
            }
            $header_data[$k] = (string)$v;
        }
    }
    // Merge header and Data Params
    $d = [...$data, ...$header_data];
    // Sort all parameters **ascending by key** (ASCII order)
    ksort($d);
    // Convert to **standard JSON string** (without Unicode escaping)
    $str = json_encode($d);
    // Output in raw binary format and then Base64 Encode
    return base64_encode(hash_hmac($algo, $str, $secret, $is_binary));
}


$header = $request->header();
// eg. $header = ['x-wmg-timestamp' => '1753753069'];

$data = [];
$data['tracking_num'] = 'EG863814';
$data['custom_tracking_num'] = 'CEG863814';
$data['status'] = 'LP_LP';
$data['remark'] = '';
$data['status_time'] = 1753406381;
$data['files'] = [];

// Pre-shared symmetric key
$secret = 'abc';
$signature = build_signature($secret, $data, $header);
// $signature = UMza8Ni0wNlLPPCgrCKHpRAnpVC6eMpz7d7IveRF44Q=