Webhooks
During onboarding you have the ability to provide us with a URL that we can send webhooks to.
We will always send POST requests to this URL and expect a 200 response status code.
Payload fields
When you receive a webhook from us, you can safely assume that each payload contains at least the following fields:
| Key | Type | Description | Example |
|---|---|---|---|
| id | ULID (string) | A unique ordered ID assigned to the payload of the webhook. | 01GTKD6ZYFVQMR0RWP4HBBHNZC |
| data | object | array of objects | ||
| action | string | The action that informs you the cause of this webhook | channel.activated |
| created | UTC Zulu ISO8601 String | When the payload was initially created | 2023-03-03T09:35:24Z |
| version | string | Version of the webhook | 1.0 |
Signature
In the header of the webhook you will find a Signature field. You can use this field to verify that Hospitable is the sender.
To do this you need the folliowing
- Payload
- Webhook secret (given to you during onboarding)
We sign the webhook using the standard HMAC with the SHA256 function.
For example:
- Payload is
{"foo": "bar"} - Your webhook secret is "123456"
- The signature header
cc99bf5947391ddb0d0d9866f5b9d3a68e8b273c5ac8f699b4ae2399a7433118
You can now apply the HMAC to verify
<?php
function verify(string $payload, string $signature): bool
{
$expected = hash_hmac('sha256', $payload, env('SECRET', '123456'));
return hash_equals($expected, $signature);
}
Updated 3 months ago