Supercharge Store

Setting up a dynamic webhook

SellApp's dynamic webhook sends a POST requests to your webhook URL that you enter while creating a product.

The POST request is sent as a JSON object when a customer successfully completes a payment, and contains all the relevant order data so your webhook can process the order programmatically.

Whichever value you return to us as a response to the above POST request, we pass along to the customer.

Heads Up

SellApp only supports HTTPS webhook endpoints for security purposes.


Generating webhook secret

Before proceeding, we strongly advise creating a webhook secret that you'll want to be using to verify and validate incoming webhook requests as legitimate.

If you don't do so, a malicious person could spoof requests and make it look like we're sending them, thus possibly resulting in your stock being drained.

Here's how to create a webhook secret:

  1. Navigate to your store's developers settings

  2. Click "New Secret" in the "Webhook secret" section.

  3. Once a secret is generated, click "Save" in order to save the newly generated webhook secret.


Validating signed webhooks

To verify the authenticity of webhook calls sent to your dynamic webhook endpoint, SellApp sends a HMAC signature that is comprised of the JSON encoded request body and your generated webhook secret.

So you know

Unlike other platforms, SellApp uses the sha256 hash function instead of the sha512 hash function

Here is a validation example for the dynamic webhook endpoint in PHP:

$secret = "webhook-secret-here"; // the webhook secret you generated on SellApp
$signature = $_SERVER['HTTP_SIGNATURE']; // Retrieving the HMAC signature sent by our servers

$computedSignature = hash_hmac('sha256', file_get_contents('php://input'), $secret); // Validating the HMAC signature sent by our servers

if (hash_equals($computedSignature, $signature)) {
    // The signature sent by the webhook is valid, we can process the order
} else {  
  // The signature is invalid, this means something in the configuration is wrong or the webhook was not sent by SellApp
}

Note: Sending test dynamic webhooks when creating/editing a product only sends mock data. Your webhook secret is also not used for this. As an example you could create a free product to test your configuration.

Once the has been set up and configured correctly, you're all good to go!

Whenever a new order gets created, we'll be pinging your dynamic endpoint URL you entered while creating the product and pass along your webhook's response to the customer.

Happy selling!

Previous
Discounting payment methods