SellApp's dynamic webhook sends HTTPS `POST` requests to a specified webhook URL of your choosing, that you enter while creating a product. The HTTPS callback is sent when a customer successfully completes a purchase, and the payload is sent as a JSON object.

Please note: SellApp only supports HTTPS webhook URLs.

Generating webhook secret
Before going any further, we strongly advise creating a webhook secret that you’ll want to be using to verify/validate incoming webhook requests. Navigate to your store’s ‘Other’ settings ( and click on “New Secret” in the “Webhook secret” section. Once a secret is generated, click on “Save” in order to save the newly generated webhook secret.

Validating signed webhooks
To verify the authenticity of webhook calls sent to your dynamic webhook endpoint, SellApp sends a HMAC signature that is comprised of the JSON encoded request body and your generated webhook secret.

Note: Unlike other platforms, SellApp uses the `sha256` hash function instead of the `sha512` hash function

Here is a PHP example of how to validate dynamic webhook endpoint:

$secret = “webhook-secret-here”; // the webhook secret you generated on SellApp
$signature = $_SERVER['HTTP_SIGNATURE']; // Retrieving the HMAC signature sent by our servers
$computedSignature = hash_hmac('sha256',

file_get_contents('php://input'), $secret); // Validating the HMAC signature sent by our servers

if (hash_equals($computedSignature, $signature)) {
// The signature sent by the webhook is valid, we can process the order
} else {
// The signature is invalid, this means something in the configuration is wrong or the webhook was not sent by SellApp

Note: Sending test dynamic webhooks when creating/editing a product only sends mock data. Your webhook secret is also not used for this.

That’s all, happy selling!

Did this answer your question?