MoneyRain Offerwall

Publisher API documentation

Use hosted links to send users to MoneyRain, then use signed reward callbacks to credit users on your own site.

Hosted offerwall link

Send users to:

https://offerwall.moneyrain.top/wall.php?pub=PUBLISHER_ID&uid=YOUR_USER_ID

pub is your MoneyRain user ID. uid is your own user identifier. Keep uid stable and do not put private data in it.

Reward callback setup

In Dashboard, set a HTTPS callback URL and callback secret. MoneyRain sends one callback after a publisher-link ad completion is credited to your MoneyRain balance.

HTTP request

POST https://your-site.example/moneyrain-callback
Content-Type: application/json
X-MoneyRain-Event: reward.completed
X-MoneyRain-Timestamp: 1782730000
X-MoneyRain-Signature: sha256=HEX_HMAC_SHA256

Payload

{
  "event": "reward.completed",
  "publisher_id": 123,
  "external_uid": "your-user-42",
  "view_id": 98765,
  "campaign_id": 555,
  "ad_type": "ptc",
  "reward_usdt": "0.00003000",
  "advertiser_cost_usdt": "0.00005000",
  "status": "completed",
  "timestamp": 1782730000,
  "nonce": "random24hex"
}

Signature verification

The signature is hash_hmac('sha256', raw_request_body, callback_secret). Compare it with the X-MoneyRain-Signature header after removing the sha256= prefix.

<?php
$secret = 'your callback secret';
$body = file_get_contents('php://input');
$header = $_SERVER['HTTP_X_MONEYRAIN_SIGNATURE'] ?? '';
$expected = 'sha256=' . hash_hmac('sha256', $body, $secret);

if (!hash_equals($expected, $header)) {
    http_response_code(403);
    exit('bad signature');
}

$payload = json_decode($body, true);
if (!is_array($payload) || ($payload['event'] ?? '') !== 'reward.completed') {
    http_response_code(400);
    exit('bad payload');
}

// Prevent double crediting: store view_id or nonce in your database first.
// Then credit $payload['external_uid'] with $payload['reward_usdt'].

echo 'OK';

Retry policy

V1 stores the last callback status and failure count, but does not queue retries. Your endpoint should respond with HTTP 200, 201, 202, or 204 only after you have safely recorded the reward.

Security notes

Use HTTPS, keep your callback secret private, verify signatures using the raw request body, reject old timestamps if needed, and store view_id or nonce to prevent duplicate crediting.