Dispatches an event notification to a configured webhook endpoint

This webhook is triggered when a significant event occurs within the system that a partner might be interested in. The payload contains details about the event type and the associated data.

Request

The webhook will be sent as an HTTP POST request to the URL configured for the webhook. The body of the request will be a JSON payload (application/json) containing an ApiWebhookContainer.

Headers

The following headers will be included in the request, adhering to the Standard Webhooks specification:

• content-type: application/json: Indicates the payload format.
• webhook-id: A unique UUID (version 4) identifying this specific delivery attempt. This can be used for idempotency and logging.
• webhook-timestamp: A string representing the Unix timestamp (seconds since epoch) of when the webhook notification was sent.
• webhook-signature: A signature to verify the authenticity and integrity of the payload. The format is v1=<signature>, where <signature> is an HMAC-SHA256 hash.

Signature Verification

To verify the signature:

1. Extract the webhook-timestamp from the header.
2. Extract the webhook-signature from the header and remove the v1= prefix.
3. Concatenate the webhook-timestamp string and the raw request body.
4. Calculate the HMAC-SHA256 hash of the concatenated string using your webhook’s secret key.
5. Compare the calculated hash (hex-encoded) with the signature extracted from the header. They should match.

It is crucial to use a constant-time comparison function when comparing signatures to prevent timing attacks. (See the examples for more details)