Skip to main content

Introduction

Webhooks enable your app get notified of events and state changes when interacting with Onboard’s widget or API. For instance, you’ll receive a webhook notification when an order transitions from INITIATED to DEPOSITED.

Setting up a webhook

To get started, configure a publicly accessible webhook URL from Onboard Connect’s Settings in the Business portal dashboard.
This URL must be able to:
  • Return a 200 OK HTTP status code with no response body.
  • Accept the webhook payload (see structure below).
  • Verify the authenticity of the sender using the signature in the request header.
If the webhook endpoint does not specify a 200 0K HTTP response code on receipt of webhook data, there will be subsequent attempts to resend it until the retry attempts are exhausted.

Number of retry attempts is currently set at 3.

Verifying webhook origin

Since your webhook URL is publicly available, you need to verify that events originate from Onboard and not a bad actor. To ensure this, each webhook attempt makes use of signed HTTP headers, which contain values you can use to verify the authenticity of the data being transmitted between Onboard and your application. The following signed headers can be used:

x-signature

  • Here’s an example, in Javascript, of how this parameter can be verified:
The apiSecret is the same as the one configured from your Business portal dashboard.

x-timestamp

  • This is the timestamp used to generate the signature

Webhook payload structure

A webhook payload will typically conform to the structure below:
data is an object which is peculiar to the specific webhook context.

Sample payload

Supported webhook events

Order states

A terminal state indicates that the state/status cannot be reversed, or transition to a different state.

It usually means the order has terminated, either as completed or cancelled.