Partner Guide

Buzz API Reference

Server-to-server APIs for in-app quest events and Buzz Links conversion postbacks. Requests use JSON bodies with HMAC-SHA256 authentication.

Quick reference

Integration	Method & path	Key header
In-app quest events	`POST /user/inapp/webhooks`	`X-Buzz-Key-Id`
Conversion postback	`POST /user/conversions/postback`	`X-Buzz-Key`

Key concepts

Different credentials per integration

In-app webhooks use X-Buzz-Key-Id from campaign in-app integration keys. Conversion postbacks use X-Buzz-Key, your project API key. Same signing algorithm — different header names.

Every request is signed

All requests require a timestamp (X-Buzz-Timestamp) and HMAC-SHA256 signature (X-Buzz-Signature). The timestamp must be within ±300 seconds of server time.

Async processing

HTTP 200 means the payload was accepted. Heavy work — point awards, campaign matching — runs in background jobs. Use campaign event visibility in your ops flow to confirm outcomes.

Base URL

All examples default to https://padapi.chaingpt.dev. Both endpoints use the public user prefix /user/…. No end-user JWT is required — API key headers + signature only.

Rate limits

100

req / min

In-app webhooks
per key-id · rolling window

req / min

Conversion postback
per X-Buzz-Key · rolling

⚠When rate limited, the API returns 429 with a Retry-After header. Implement exponential backoff in your client.

Read signing guide Open playground

Request signing