Skip to main content

Validating and Testing a Webhook

Before you start using a webhook, you must validate and test it. Moreover, you should ensure that you correctly handle idempotency scenarios, wherein duplicate webhook events reach your endpoint.

Validating a Webhook

Once you set a secret token, Fynd Platform uses it to generate a hash signature with each payload. A hash signature is calculated using HMAC with SHA256 algorithm; with your webhook secret as the key and the webhook request body as the message. This hash signature is included with the headers of each request as x-fp-signature.

You can validate the webhook signature using an HMAC as shown below:

key = webhook_secret
message = webhook_body // raw webhook request body
received_signature = webhook_signature

expected_signature = hmac('sha256', message, key)
if expected_signature != received_signature
throw SecurityError


Since a webhook design is based on HTTP POST calls, it's crucial to handle instances, wherein your endpoint receives the same webhook event multiple times.

To handle idempotency:

  1. Identify the duplicate webhooks using the x-fp-event-id header. The value for this header is unique for every event.
  2. Check the value of x-fp-event-id in the webhook request header.
  3. Verify if an event with the same header is processed by you.

Testing a Webhook

Click the Test Webhook button to check if your webhook URL is valid. Fynd Platform sends a ping event on the webhook URL.

It will show a success message if the URL is capable of receiving a payload from us.


Webhook Ping Event - Success Message

In case it shows a failure message, please verify your URL for any typo, and cross-check on your end if it's ready to receive any payload. Moreover, it should be a publicly accessible HTTPS URL.


Webhook Ping Event - Failure Message