Setting up a dynamic webhook

SellApp's dynamic webhook sends a POST requests to your webhook URL that you enter while creating a product.

The POST request is sent as a JSON object when a customer successfully completes a payment, and contains all the relevant order data so your webhook can process the order programmatically.

Whichever value you return to us as a response to the above POST request, we pass along to the customer.

Heads Up

SellApp only supports HTTPS webhook endpoints for security purposes.

Generating webhook secret

Before proceeding, we strongly advise creating a webhook secret that you'll want to be using to verify and validate incoming webhook requests as legitimate.

If you don't do so, a malicious person could spoof requests and make it look like we're sending them, thus possibly resulting in your stock being drained.

Here's how to create a webhook secret:

  1. Navigate to your store's developers settings

  2. Click "New Secret" in the "Webhook secret" section.

  3. Once a secret is generated, click "Save" in order to save the newly generated webhook secret.

Validating signed webhooks

To verify the authenticity of webhook calls sent to your dynamic webhook endpoint, SellApp sends a HMAC signature that is comprised of the JSON encoded request body and your generated webhook secret.

So you know

SellApp uses the sha256 hash function

Here is a validation example for the dynamic webhook endpoint in PHP:

$secret = "webhook-secret-here"; // the webhook secret you generated on SellApp
$signature = $_SERVER['HTTP_SIGNATURE']; // Retrieving the HMAC signature sent by our servers

$computedSignature = hash_hmac('sha256', file_get_contents('php://input'), $secret); // Validating the HMAC signature sent by our servers

if (hash_equals($computedSignature, $signature)) {
    // The signature sent by the webhook is valid, we can process the order
} else {  
  // The signature is invalid, this means something in the configuration is wrong or the webhook was not sent by SellApp

Heads up

Sending a test dynamic webhook is only for the purpose of checking whether your endpoint is correct. The test sends mock data, and your webhook secret is not used for this.

To properly test the flow, including the use of your webhook secret, we advise creating a free product, or creating a one-off 100% off coupon.

Once the has been set up and configured correctly, you're all good to go!

Whenever a new order gets created, we'll be pinging your dynamic endpoint URL you entered while creating the product, then pass along your webhook's response to the customer.

Happy selling!

πŸ‘₯ Discord roling