Skip to main content
Version: 3.x

Redirect URLs

After survey completion, participants are redirected to your supplied URL with signed parameters.

The redirect URL can be handled in two ways:

  1. Placeholder substitution (recommended for full control)
  2. Query parameter appending (automatic fallback)

In both cases, a SHA-256 HMAC signature (sech) is added to verify integrity.

Parameters

NameDescription
statusClick key state (see Redirect Statuses).
revenuePartner revenue amount (float).
rewardParticipant reward amount (float).
tidPublisher-provided session or match identifier. This should be unique per click and is returned exactly as received.
click_idTapResearch internal identifier for the click.
sechSHA-256 HMAC signature verifying the signed parameters.

Redirect Modes

Placeholder Substitution

If your redirect URL contains placeholders using curly braces (e.g., {STATUS}), those placeholders will be replaced before redirecting.

Supported placeholders:

  • {STATUS}
  • {REVENUE}
  • {REWARD}
  • {TID}
  • {CLICK_ID}

Example:

https://example.com/callback?status={STATUS}&tid={TID}

After substitution:

https://example.com/callback?status=1&tid=session_123&sech=<signature>

Important behavior

  • Only placeholders present in the URL are included in the signature.

  • After substitution, the system:

    • Parses the resulting query parameters
    • Computes sech
    • Appends sech to the query string.

Query Parameter Appending (No Placeholders)

If your redirect URL does not contain placeholders, the system automatically appends all parameters:

  • status
  • revenue
  • reward
  • tid
  • click_id

Example base URL:

https://example.com/callback

Result:

https://example.com/callback?status=1&revenue=0.45&reward=50&tid=session_123&click_id=abc123&sech=<signature>

In this mode, all parameters are always signed.

How Signing Works

The system computes a SHA-256 HMAC using your API secret.

Signing Order

Canonical signing order:

status,revenue,reward,tid,click_id

Data String Construction

The signature is created by:

  1. Taking only the relevant keys (depending on redirect mode).
  2. Ordering them according to the canonical signing order above.
  3. Joining their values with commas.

Example:

1,0.45,50,session_123,abc123

If tid is blank, it is included as an empty value:

1,0.45,50,,abc123

Signature Generation

HMAC-SHA256(data_string, api_secret)

The resulting lowercase hex digest becomes the sech parameter.

How to Validate the Redirect

When you receive the redirect:

  1. Extract the relevant parameters.
  2. Reconstruct the comma-separated string in the correct order.
  3. Compute the SHA-256 HMAC using your API secret.
  4. Compare your result to the received sech.

If they do not match:

  • The parameters were modified, or
  • The wrong API secret was used.