In this group we have all the API endpoints used to interact with webhooks. All calls to those endpoints require a valid ApiKey.
To start receiving webhooks calls you need to subscribe
to a given event using the subscribe event and providing a target_url
(must be unique). Once subscribed, whenever the event happens we will call the provided url with event related information
You can use the list
endpoint at any time to see all the webhooks you have
To remove a webhook you need to use the unsubscribe
endpoint passing the webhook id
Expected Responses
The target url should return a 200 OK
as a result, if it returns any other response we will retry the delivery several times with some delay between them until a 200 OK
is returned or we reach the maximum total amount of retries (currently 10).
As an exception of the rule, we are planning to implement an auto-removal of the webhook subscription when the response of the target_url is a 410 GONE
, so if you're returning that as a response you may have your webhooks removed automatically in a future release
We also may remove webhooks that have been failing consistently for some time.
Verifying Responses
If you want to make sure the request you're receiving are in fact coming from Lodgify, you can verify the signature you'll find in the request header, under the ms-signature
name. This signature has the format sha256=SIGNATURE
.
Lodgify generates a unique secret key for each endpoint, this secret is only returned at the moment you create the webhook, so save it for verifying the signature later.
To verify the signature you need to:
1. Extract the signature from the header: the signature will be the part at the right after the =
sign in the header named ms-signature
2. Prepare the payload: the payload is the actual JSON payload (i.e., the request body)
3. Determine the expected signature: Compute an HMAC with the SHA256 hash function. Use the webhook's signing secret as the key, and use the payload string as the message.
4. Compare the signatures: Compare the signature in the header to the expected signature. Please consider that the header will be Uppercase so depending on the method you use to calculate the signature you might need to convert to uppercase before comparing it