Skip to main content
A webhook endpoint is a public HTTPS URL in your application that accepts BillingServ JSON POST requests.
  1. Accept POST requests over HTTPS.
  2. Limit the maximum request size.
  3. Parse the JSON envelope.
  4. Require id, type, created_at, and data.
  5. Confirm Webhook-Id and Webhook-Event match the payload.
  6. Deduplicate using the event id.
  7. Persist the payload or place it on a durable queue.
  8. Return a 2xx response quickly.
  9. Process the business action asynchronously.

Important security note

Webhook-Id and Webhook-Event are metadata, not cryptographic signatures. They help with routing and duplicate detection but do not prove who sent the request. Use a long, unguessable endpoint path, keep it private, require HTTPS, and apply normal request-size and rate limits. Do not place credentials in the URL’s username or password section. Example endpoint:

Standalone PHP example

This minimal PHP 8 endpoint validates and stores each delivery before acknowledging it. Keep the storage directory outside the public web root.
For production, store event_id in a database column with a unique index and enqueue the payload in the same database transaction. The file example demonstrates receipt only; it does not provide durable deduplication across concurrent workers.

Route events by type

Process only event types your integration understands and safely ignore unknown types:
Do not reject an otherwise valid delivery only because its event type is new. Returning a failure for unknown types causes unnecessary retries.

Test the endpoint

Save the URL in Admin → API Information, then select Send test webhook. A successful request has the type webhook.test:
Once the test succeeds, create or update a QA resource and confirm the corresponding event from the event reference.