Overview

ClickBank offers an Instant Notification service that notifies you of transactions within the ClickBank system for your account. It sends data in a near real-time fashion for the following action types:

  • Sale
  • Rebill
  • Refund
  • Chargeback
  • Cancel Rebill
  • Test

The service attempts to post information via HTML FORM POST to a URL specified by you. Each post contains a group of URL Parameters relevant to the transaction. To prevent fraud, one of the parameters, the cverify field, is used to verify the validity of the other fields.

Note: This service is intended for use by experienced programmers. Clients without extensive programming skills should refrain from implementing Instant Notifications without first enlisting the services of an experienced programmer.

How it Works

The ClickBank Instant Notification service is triggered every time a transaction is created or an action is taken upon a transaction in your ClickBank account. The primary flow involves the following steps:

  1. An action occurs in the ClickBank system (ex sale, rebill, refund, etc)
  2. ClickBank posts FORM parameters to a URL you specify
  3. ClickBank observes the server response
  4. A program you build processes the variables

Setting up the service on your ClickBank account is straightforward. However, it is also necessary to build a program that processes the Instant Notification URL Parameters, which is a more technical task. In order to make good use of this service, your program must at least process the parameters outline in the URL Parameters section of this document.

What You Need to Know

For the Instant Notification service to function properly, you need to understand the following items. Failure to properly understand and implement these items will result in removal of Instant Notification from your account.

  1. What a HTML FORM POST to a URL is
  2. What URL Parameters are
  3. What a Secret Key is
  4. How to implement Cipher
  5. The importance of utilizing Secure Socket Layer (SSL)
  6. The effects of Response Code Monitoring

If you don’t understand one or more of the above items, we recommend that you enlist the services of a professional who understands these implementation items. Failure to do so could result in removal of this feature from your account.

Getting Started

Understanding Instant Notification

Prior to implementing this feature, you should familiarize yourself with the following information.

URL Parameters

The following URL parameters are passed from the ClickBank Instant Notification service.

Parameter Description Detail
ccustname customer name 1-510 Characters
ccuststate customer state 0-2 Characters
ccustcc customer country code 0-2 Characters
ccustemail customer email 1-255 Characters
cproditem ClickBank product number 1-5 Characters
cprodtitle title of product at time of purchase 0-255 Characters
cprodtype type of product on transaction (STANDARD, and RECURRING) 8-11 Characters
ctransaction * action taken 4-15 Characters
ctransaffiliate affiliate on transaction 0-10 Characters
ctransamount amount paid to party receiving notification (in pennies (1000 = $10.00)) 3-10 Characters
ctranspaymentmethod method of payment by customer 0-4 Characters
ctranspublisher vendor on transaction 5-10 Characters
ctransreceipt ClickBank receipt number 8-13 Characters
cupsellreceipt ** § Parent receipt number for upsell transaction 8-13 Characters
caffitid affiliate tracking id 0 – 24 Characters
cvendthru extra information passed to order form with duplicated information removed 0-1024 Characters
cverify ** the “cverify” parameter is used to verify the validity of the previous fields 8 Characters
ctranstime ** the Epoch time the transaction occurred (not included in cverify) 10 Characters
* See “Transaction Types”
** See “Cipher”
§ Present when a parent receipt exists for the transaction

When a parameter contains no value, the Instant Notification string will contain the parameter tag without a value. It is also possible for the Instant Notification service to deliver more than one POST on a single receipt. For more information, please review the FAQ Section of this document.

Transaction Types

There are a number of values you can receive in the ctransaction parameter. These values are listed below with a brief description of their purpose.

Type Description
SALE The purchase of a standard product or the initial purchase of recurring billing product.
BILL A rebill for a recurring billing product.
RFND The refunding of a standard or recurring billing product. Recurring billing products that are refunded also result in a “CANCEL-REBILL” action.
CGBK A chargeback for a standard or recurring product.
INSF An eCheck chargeback for a standard or recurring product.
CANCEL-REBILL The cancellation of a recurring billing product. Recurring billing products that are canceled do not result in any other action.
UNCANCEL-REBILL Reversing the cancellation of a recurring billing product.
TEST Triggered by using the test link on the site page.

Payment Methods

There are a number of values you can receive in the “ctranspaymentmethod” parameter. These values are listed below.

  • PYPL
  • VISA
  • MSTR
  • DISC
  • AMEX
  • SWIT
  • SOLO
  • JCBC
  • DNRS
  • ENRT
  • AUST
  • BLME
  • STVA
  • MAES

Secure Socket Layer (SSL)

It is strongly recommended that you utilize this feature with Secure Socket Layer (SSL) enabled. Using this feature without Secure Socket Layer (SSL) enabled can expose your sales data to Internet thieves. However, because credit card and bank information is not transmitted via the Instant Notification service, ClickBank does not require Secure Socket Layer (SSL) to encrypt Instant Notification transmissions.

Response Code Monitoring (Retry Logic)

The Instant Notification service attempts to POST information via HTML to the URL specified on your My Site page. If our attempt to post receives a response code from your system of something other than 200, ClickBank will retry delivering the data an hour later. The service will continue retrying once an hour for up to 72 hours, after which the feature will no longer attempt delivery.

Cipher (Preventing Fraud)

Cipher (pronounced SAI-fuhr) is a method of performing encryption and decryption. It ensures there has been no URL tampering of the query string parameters.

When an action occurs within your ClickBank account, several values are passed along in the Instant Notification query string (see URL Parameters). While building the string we create a sha1, or a hash of the values passed, and your Secret Key. The result is the cverify parameter. Upon receipt of the query string parameters, your system must also create a sha1, or a hash of the values passed, and your Secret Key.

The validity of the data received is evaluated by using the cverify parameter we send and the value produced in your system. Only if there is an exact match between the two values can you be certain the information received has not been tampered with.

Note: ctranstime and cupsellreceipt parameters are not included in the encryption algorithm for the cverify parameter.

Please see Code Samples for examples.

Implementation

After gaining a sound understanding of the previous section of this document, we recommend that you test the feature before implementing. After completing a successful test, you can set up your account for the Instant Notification service.

Request Access

Request access to the Instant Notification service by following these steps:

  1. Log in to your account
  2. Click the Account Settings tab
  3. Click My Site in the sub nav
  4. Locate the Instant Notification field and click the Click HERE to request access hyperlink
  5. Fill out the form and thoroughly review the terms of use.
  6. Click the Submit button at the bottom of the form

Test Connectivity and Processing

Test the connectivity and successful processing of the URL parameters between ClickBank and your server by following these steps:

  1. Log in to your account
  2. Click the Account Settings tab
  3. Click My Site in the sub nav
  4. Enter the URL you want ClickBank to send the notifications to in the Instant Notification 1 field

    5. Note: Do not click Save Changes

  5. Click Test to the right of the URL
  6. Review the response in the popup window to identify if the test was a success

If the test was not successful, remove the URL from the Instant Notification field and troubleshoot possible problems with connectivity or your programming.

Important: You should not populate the Instant Notification field unless you can conduct a successful test. Doing so may result in your access to the feature being disabled.

The following Instant Notification parameters and values are passed for each execution of the test.

Parameter Value
ccustname Test User
ccuststate
ccustcc
ccustemail testuser@somesite.com
cproditem 399
cprodtitle A passed in title
cprodtype STANDARD
ctransaction TEST
ctransaffiliate
ctransamount 100
ctranspaymentmethod VISA
ctranspublisher Real Vendor Nickname
ctransreceipt XXXXXXXX
caffitid
cvendthru
cverify Real cverify

Account Setup

Now that you have been granted access to the feature and have conducted a successful test, it’s time to complete the account setup of the Instant Notification service. Setting up the service is straightforward and involves the following steps.

  1. Log into your account
  2. Click the Account Settings tab
  3. Click My Site in the sub nav
  4. Enter a Secret Key on your My Site page
  5. Enter an Instant Notification URL in the Instant Nofification 1 field (ports 80 or 443 – SSL Recommended)
  6. Click Test to the right of the URL before you save the changes
  7. Review the response in the popup window to identify if the test was a success
  8. Click Save Changes

Once the setup is complete, the Instant Notification transmissions will begin immediately.

Disabling

Removing the URL from the Instant Notification field on the My Site page will stop the system from delivering notifications.

FAQ

Q: I’m not an experienced programmer. Should I attempt to implement ClickBank Instant Notifications?

A: No. There are several aspects of the Instant Notification service that require programming experience.

Q: Is it possible for the Instant Notification service to deliver more than one POST on a single receipt?

A: Yes. There are many scenarios where this is true. For instance, you will receive multiple POSTs for a single transaction if a refund is given and then reversed. This would result in delivery of a RFND action POST and then a SALE action post. The first action is a result of the original sale being refunded. The second action is a result of the sale being reinstated.

Q: How do I stop the ClickBank Instant Notification service from making POSTs to me?

A: Removing the Instant Notification URL from your My Site page will stop the system from delivering the notifications.

Q: Will I always receive all the Parameters or only when they contain values?

A: You will always receive all the parameters. When a parameter contains no value, the Instant Notification string will contain the parameter tag without a value.

Q: Why do some of the Parameters have a 0 in the number of characters to expect?

A: These Parameters may not contain any value during the post, which is why they are listed with the possibility for 0 characters.

Q: Am I required to use SSL with the ClickBank Instant Notification service?

A: It is not required, but is highly recommended as it provides you with protection against Internet thieves.

Q: Am I required to use Cipher with the ClickBank Instant Notification service?

A: It is required. You must add a secret key to your account to enable Instant Notifications.

Q: Are the code samples provided by ClickBank fully functional and ready to go?

A: No. In most cases, the code samples must be nested in a program. If this is not understood, we recommend that you enlist the services of a professional programmer.

Q: Will ClickBank Instant Notification work with a self-signed SSL certificate?

A: No. A valid certificate is required.

Q: Is it possible to test the Instant Notification service prior to implementing?

A: Yes. Test connectivity and processing between ClickBank and your server by following these steps:

  1. Enter the URL you want ClickBank to send the notification to
  2. Click Test to the right of the URL before you save the changes
  3. Review the response in the popup window to identify if the test was a success

Q: Can I send to notifications to more than one URL?

A: Yes. A second notification URL can be added after saving your first notification URL. Note: all the same rules apply to the second notification URL.

Code Samples

The data sent to you by the Instant Notification service is in the form of HTML FORM POST URL Parameters. Programs written within your application architecture must process these pairs. Programs for order management, database activity, and other services may be written but are outside the scope of this guide.

JAVA

Cipher (Validation Processing Code)

The following Java code will create the cverify value and verify if it is correct using the plain text values in the HTTP POST and your secret key.

Note: This requires the jakarta commons codec library to be functional.

Code Sample

    public boolean validateApiNotification(HttpServletRequest request) {
        String xxpop = "";
        String cverify = request.getParameter("cverify");

         String pop = String.format("%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s",
            request.getParameter("ccustname"),
            request.getParameter("ccustemail"),
            request.getParameter("ccustcc"),
            request.getParameter("ccuststate"),
            request.getParameter("ctransreceipt"),
            request.getParameter("cproditem"),
            request.getParameter("ctransaction"),
            request.getParameter("ctransaffiliate"),
            request.getParameter("ctranspublisher"),
            request.getParameter("cprodtype"),
            request.getParameter("cprodtitle"),
            request.getParameter("ctranspaymentmethod"),
            request.getParameter("ctransamount"),
            request.getParameter("caffitid"),
            request.getParameter("cvendthru"),
            "YOUR SECRET KEY");

        try {
            MessageDigest digest = MessageDigest.getInstance("SHA");
            byte[] b = digest.digest(pop.getBytes());

            xxpop = new String(Hex.encodeHex(b)).toUpperCase();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }

        return xxpop.equalsIgnoreCase(cverify);
    }

PHP

Cipher (Validation Processing Code)

The following PHP will create the cverify value and verify if it is correct using the plain text values in the HTTP POST and your secret key (e.g. not URL-encoded).

Response Types:
1 = Pass
0 = Fail

Code Sample

<?php

function cbValid() {

	$key='YOUR SECRET KEY';
	$ccustname = $_REQUEST['ccustname'];
	$ccustemail = $_REQUEST['ccustemail'];
	$ccustcc = $_REQUEST['ccustcc'];
	$ccuststate = $_REQUEST['ccuststate'];
	$ctransreceipt = $_REQUEST['ctransreceipt'];
	$cproditem = $_REQUEST['cproditem'];
	$ctransaction = $_REQUEST['ctransaction'];
	$ctransaffiliate = $_REQUEST['ctransaffiliate'];
	$ctranspublisher = $_REQUEST['ctranspublisher'];
	$cprodtype = $_REQUEST['cprodtype'];
	$cprodtitle = $_REQUEST['cprodtitle'];
	$ctranspaymentmethod = $_REQUEST['ctranspaymentmethod'];
	$ctransamount = $_REQUEST['ctransamount'];
	$caffitid = $_REQUEST['caffitid'];
	$cvendthru = $_REQUEST['cvendthru'];
	$cbpop = $_REQUEST['cverify'];

	$xxpop = sha1("$ccustname|$ccustemail|$ccustcc|$ccuststate|$ctransreceipt|$cproditem|$ctransaction|"
		."$ctransaffiliate|$ctranspublisher|$cprodtype|$cprodtitle|$ctranspaymentmethod|$ctransamount|$caffitid|$cvendthru|$key");

    $xxpop=strtoupper(substr($xxpop,0,8));

    if ($cbpop==$xxpop) return 1;
	else return 0;
}

?>

Need more information? Take a look at these related posts:

  1. ClickBank API
  2. Protecting Your Product
  3. Sales Notifications
If you still have questions, contact us.