Webhooks
Webhooks can be subscribed to using the OAuth API, the Business Dashboard, or Automations. In case of the OAuth API and the Business Dashboard, webhook subscriptions are set up for events and will be fired for each and every one of those events. Within the Automations tool, you can set up a more delicate webhook system, only firing after some set of filters have passed. This way, you can prevent an overload of irrelevant API calls being sent to your servers.
Verifying the Webhook's signature
On each webhook request, a Signature header is set. This header is a hash consisting of the json encoded payload and the secret set on the webhook subscription. If no secret is set on the subscription itself, the Account secret is used instead.
The signature is compiled as follows:
1
2
3
4
5
$payloadJson = json_encode($payload);
$signature = hash_hmac('sha256', $payloadJson, $secret);
The signature can subsequently be used on each request to check if it hasn't been tampered with.
Retries
If the webhook request doesn't receive a response within the 2xx range, it will retry a maximum of five times, with increasing intervals between the attempts.