Since security is our number one priority we have applied an authentication flow in our webhooks. We don't just deliver messages to your url. A few steps are required before we start sending our valuable data to any url.

1. Create your webhook

You can create a new webhook through our REST API or using the management screen in this section.

We highly recommend to use https target urls.
When using the REST API, please make sure your API key has the required roles to register to a event. You can see the required role for each event in the event overview.

2. Receive the activation request

To make sure you didn't register an incorrect url by mistake, you need to activate each webhook after creation. You won't receive any valuable data until the webhook is activated.

After creation, we will trigger a Webhook.Created event. This is the first request you will receive from us and contains the required header to activate your webhook. Pick up the X-Hook-Key header and activate your hook.

3. Activate your webhook

The Webhook.Created request you received, will contain the required authentication header. Use the value of this header to activate your webhook. The activation must be done with the POST - 3/hooks/{WebhookId}/activate request. We will validate your API keys and the additional webhook key

4. Validate our hook key

With each request we will send our webhook authentication header. Since this is the only way to identify the origin of your data, you should validate this header.

In case the authentication header is incorrect, you should reply with an 401 Unauthorized.