POST request to the URL provided in the notification policy. The request body will contain the event details, as well as the resource that relates to the event.
When a webhook policy is created, you will be provided with a secret key. This key can used to verify the authenticity of the request. You can find the secret key in the dashboard or in the response body when creating a policy via the API.
All webhooks contain a JSON payload and a sequence-signature header, consisting of a timestamp (t=17301212441) and a secret (s=abc123def...).
To validate the webhook:
- Append the timestamp to the request body separated by a
.(e.g.17301212441.{"notificationType"="CUSTOMER_CREATED", ...}) - Hash the result using HMAC-SHA256 with the secret key
- Compare the resulting hash with the secret in the
sequence-signatureheader
Event types
CUSTOMER_CREATEDCUSTOMER_UPDATEDCUSTOMER_ARCHIVEDINVOICE_CREATEDINVOICE_ISSUEDINVOICE_UPDATEDMERCHANT_UPDATEDBILLING_SCHEDULE_CREATEDBILLING_SCHEDULE_UPDATEDBILLING_SCHEDULE_ARCHIVEDCREDIT_NOTE_CREATEDCREDIT_NOTE_UPDATEDCREDIT_NOTE_ISSUEDQUOTE_PUBLISHEDQUOTE_ACCEPTED