Setting up a dynamic webhook
SellApp's dynamic webhook sends a POST
requests to your webhook URL that you enter while creating a product.
The POST
request is sent as a JSON object
when a customer successfully completes a payment, and contains all the relevant order data so your webhook can process the order programmatically.
Whichever value you return to us as a response to the above POST
request, we pass along to the customer.
SellApp only supports HTTPS
webhook endpoints for security purposes.
Generating webhook secret
Before proceeding, we strongly advise creating a webhook secret that you'll want to be using to verify and validate incoming webhook requests as legitimate.
If you don't do so, a malicious person could spoof requests and make it look like we're sending them, thus possibly resulting in your stock being drained.
Here's how to create a webhook secret:
- Navigate to your store's developers settings
- Click "New Secret" in the "Webhook secret" section.
- Once a secret is generated, click "Save" in order to save the newly generated webhook secret.
Validating signed webhooks
To verify the authenticity of webhook calls sent to your dynamic webhook endpoint, SellApp sends a HMAC signature that is comprised of the JSON encoded request body and your generated webhook secret.
sha256
hash functionHere is a validation example for the dynamic webhook endpoint in PHP:
$secret = "webhook-secret-here"; // the webhook secret you generated on SellApp
$signature = $_SERVER['HTTP_SIGNATURE']; // Retrieving the HMAC signature sent by our servers
$computedSignature = hash_hmac('sha256', file_get_contents('php://input'), $secret); // Validating the HMAC signature sent by our servers
if (hash_equals($computedSignature, $signature)) {
// The signature sent by the webhook is valid, we can process the order
} else {
// The signature is invalid, this means something in the configuration is wrong or the webhook was not sent by SellApp
}
Sending a test dynamic webhook is only for the purpose of checking whether your endpoint is correct. The test sends mock data, and your webhook secret is not used for this.
To properly test the flow, including the use of your webhook secret, we advise creating a free product, or creating a one-off 100% off coupon.
Once this has been set up and configured correctly, you're all good to go!
Whenever a new order gets created, we'll be pinging your dynamic endpoint URL you entered while creating the product, then pass along your webhook's response to the customer.
Happy selling!