Handling Webhook Events
If you've gone through our Webhooks Quickstart, you should be able to receive events. Here, we'll talk about the events you'll receive and ways you might want to use them.
Webhook events have a JSON body that always has as few top-level properties. Here's an example of the event that gets fired when a customer is created:
Note that there are three top-level properties:
Webhook endpoints should be idempotent when possible
Since it is very hard to guarantee only-once delivery of webhook events, it is possible for your webhook endpoint to receive the same event more than once. Whenever possible, your webhook endpoint should be able to be called with the same event multiple times. We include an idempotency key to help uniquely identify an event, which can help identify the same event if it appears multiple times.
Octane signs every webhook event with an OCTANE-SIGNATURE header. This hash can be used to validate that the events came from Octane, and that they haven't somehow been tampered with in transit. For an added layer of security, you can validate the signature of messages received from Octane.
This signature is the hash of the entire payload. To generate this hash, we use a unique webhook secret, which we expose on the Credentials tab on the Settings page in our web portal.
Assuming you have your webhook secret, validating an event looks like this: