POST
request to the URL provided in the notification policy. The request body will contain the event details, as well as the resource that relates to the event.
When a webhook policy is created, you will be provided with a secret key. This key can used to verify the authenticity of the request. You can find the secret key in the dashboard or in the response body when creating a policy via the API.
All webhooks contain a JSON payload and a sequence-signature
header, consisting of a timestamp (t=17301212441
) and a secret (s=abc123def...
).
To validate the webhook:
- Append the timestamp to the request body separated by a
.
(e.g.17301212441.{"notificationType"="CUSTOMER_CREATED", ...}
) - Hash the result using HMAC-SHA256 with the secret key
- Compare the resulting hash with the secret in the
sequence-signature
header

Event types
CUSTOMER_CREATED
CUSTOMER_UPDATED
CUSTOMER_ARCHIVED
INVOICE_CREATED
INVOICE_ISSUED
INVOICE_UPDATED
MERCHANT_UPDATED
BILLING_SCHEDULE_CREATED
BILLING_SCHEDULE_UPDATED
BILLING_SCHEDULE_ARCHIVED
CREDIT_NOTE_CREATED
CREDIT_NOTE_UPDATED
CREDIT_NOTE_ISSUED
QUOTE_PUBLISHED
QUOTE_ACCEPTED