Before you start using a webhook, you must validate and test it. Moreover, you should ensure that you correctly handle idempotency scenarios, wherein duplicate webhook events reach your endpoint.
Validating a Webhook
Once you set a secret token, Fynd Platform uses it to generate a hash signature with each payload. A hash signature is calculated using HMAC with SHA256 algorithm; with your webhook secret as the key and the webhook request body as the message. This hash signature is included with the headers of each request as x-fp-signature.
You can validate the webhook signature using an HMAC as shown below:
key = webhook_secret
message = webhook_body // raw webhook request body
received_signature = webhook_signature
expected_signature = hmac('sha256', message, key)
if expected_signature != received_signature
Since a webhook design is based on HTTP POST calls, it's crucial to handle instances, wherein your endpoint receives the same webhook event multiple times.
To handle idempotency:
- Identify the duplicate webhooks using the
x-fp-event-idheader. The value for this header is unique for every event.
- Check the value of x-fp-event-id in the webhook request header.
- Verify if an event with the same header is processed by you.
Testing a Webhook
Click the Test Webhook button to check if your webhook URL is valid. Fynd Platform sends a ping event on the webhook URL.
It will show a success message if the URL is capable of receiving a payload from us.
In case it shows a failure message, please verify your URL for any typo, and cross-check on your end if it's ready to receive any payload. Moreover, it should be a publicly accessible HTTPS URL.