Logo
Postman
Getting started
  • Overview
  • Migrate to v3 🚀
  • Testing
  • Error handling
  • Client Libraries
  • Webhooks
  • Loyalty Tokens
Guides
OAuth API
Registers & POS API

Webhooks

Webhooks can be subscribed to using the OAuth API, the Business Dashboard, or Automations. In case of the OAuth API and the Business Dashboard, webhook subscriptions are set up for events and will be fired for each and every one of those events. Within the Automations tool, you can set up a more delicate webhook system, only firing after some set of filters have passed. This way, you can prevent an overload of irrelevant API calls being sent to your servers.


Verifying the Webhook's signature

On each webhook request, a Signature header is set. This header is a hash consisting of the json encoded payload and the secret set on the webhook subscription. If no secret is set on the subscription itself, the Account secret is used instead.

The signature is compiled as follows:

1 2 3 4 5 $payloadJson = json_encode($payload); $signature = hash_hmac('sha256', $payloadJson, $secret);

The signature can subsequently be used on each request to check if it hasn't been tampered with.


Retries

If the webhook request doesn't receive a response within the 2xx range, it will retry a maximum of five times, with increasing intervals between the attempts.



To OAuth Webhooks