Affiliate Postback URL: What It Does for Creators

An affiliate creator in Ankara was running a live coaching stream when she wanted a Discord notification to fire the instant a new commission landed. The fix was the Phase 3 postback URL feature: paste your own webhook URL into the dashboard, and thMenu sends every commission event as a signed POST.

How Postback URLs Work

Inside your affiliate dashboard, open Settings → Postback URL. Paste your endpoint, flip the "Enabled" toggle, and click Generate Signing Secret. The secret is a 32-character hex string shown exactly once — afterward it lives as a hash in our database, never recoverable in plaintext.

Whenever a commission event fires — one of created, refunded, or released — the worker POSTs to your URL with an X-thMenu-Signature: sha256=<hmac> header. On your side you recompute the HMAC and compare; if it matches, the payload is authentic. If not, drop it and log the attempt.

Real Creator Scenarios

The most powerful pattern for creators is Discord webhook integration for community engagement. The Ankara creator broadcast "Someone just used my code — $47 commission" to her 320 coaching members during a live session; engagement tripled within an hour. Other popular wiring patterns:

Common destinations include: Discord or Slack notification bots, personal HubSpot or Notion CRMs, Zapier/Make flows that append to Google Sheets, Telegram push channels, and email digests for an accountant. Each event type can be handled differently — celebration on created, alert on refunded, payout prep on released.

Reliability and Retry Policy

If your endpoint does not return 2xx within 5 seconds, the worker marks the attempt failed and writes a row to affiliate_postback_log. Every hour a retry cron picks up failures — up to 5 attempts with exponential backoff (1m, 5m, 30m, 2h, 6h). After the fifth failure, the event is marked dead and an admin alert fires.

That is why idempotency matters. If retries deliver the same event_id twice, you do not want two Discord pings for one commission. UPSERT by event_id in your store, return 200 if already processed. Also enforce a timestamp tolerance — reject requests older than 5 minutes to mitigate replay attacks. Verify the signature in constant time to avoid leaking secret bytes.

FAQ

Is the postback URL paid? No — it is free for every active affiliate. There is no tier requirement either.

Can I test it? Yes. The dashboard has a "Send Test Event" button that posts a fake payload so you can verify your endpoint logs and parsing.

What if I lose my signing secret? Regenerate it — the old one is revoked instantly and all future events are signed with the new secret.

Found this helpful? Share it.