POST requests.
Recommended flow
- Accept
POSTrequests over HTTPS. - Limit the maximum request size.
- Parse the JSON envelope.
- Require
id,type,created_at, anddata. - Confirm
Webhook-IdandWebhook-Eventmatch the payload. - Deduplicate using the event
id. - Persist the payload or place it on a durable queue.
- Return a
2xxresponse quickly. - Process the business action asynchronously.
Important security note
Webhook-Id and Webhook-Event are metadata, not cryptographic signatures. They help with routing and duplicate detection but do not prove who sent the request.
Use a long, unguessable endpoint path, keep it private, require HTTPS, and apply normal request-size and rate limits. Do not place credentials in the URL’s username or password section.
Example endpoint:
Standalone PHP example
This minimal PHP 8 endpoint validates and stores each delivery before acknowledging it. Keep the storage directory outside the public web root.event_id in a database column with a unique index and enqueue the payload in the same database transaction. The file example demonstrates receipt only; it does not provide durable deduplication across concurrent workers.
Route events by type
Process only event types your integration understands and safely ignore unknown types:Test the endpoint
Save the URL in Admin → API Information, then select Send test webhook. A successful request has the typewebhook.test: