Overview
Webhooks let you receive real-time notifications when events occur on your Chowdeck orders. Instead of polling for updates, Chowdeck sends an HTTP POST request to your configured endpoint whenever a relevant event takes place.
Setting up your webhook URL
Configure your webhook URL in the Chowdeck Dashboard:
https://dashboard.chowdeck.com/settings/developers
All webhook events are sent as HTTP POST requests to this URL with a JSON body.
Payload structure
Every webhook event shares the same top-level structure:
{
"category": "ORDER_CREATED",
"description": "New order",
"payload": { ... }
}| Field | Type | Description |
|---|---|---|
category | string | The event type (e.g. ORDER_CREATED) |
description | string | A human-readable description of the event |
payload | object | The order object at the time the event fired. See Webhook Events for the full payload reference. |
Verifying webhook signatures
All webhook requests include an x-chowdeck-signature header. You must verify this signature to confirm the request genuinely came from Chowdeck and has not been tampered with.
Verification steps:
- Retrieve the
x-chowdeck-signatureheader from the request - Compute an HMAC SHA-256 digest of the raw request body using your webhook secret
- Compare the computed digest with the received signature
- Reject the request if they do not match
Example (Node.js):
const crypto = require('crypto');
function verifySignature(payload, signature, secret) {
const computed = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(computed, 'utf8'),
Buffer.from(signature, 'utf8')
);
}Always use
crypto.timingSafeEqualfor signature comparison. Standard string equality (===) is vulnerable to timing attacks.
Responding to webhooks
Your endpoint must return a 200 OK response as quickly as possible to acknowledge receipt. If your processing logic takes time, acknowledge first and handle the event asynchronously.
If your endpoint does not return a
200 OK, Chowdeck will retry the delivery using an exponential backoff strategy. Design your handler to be idempotent -- processing the same event more than once should produce the same result.
Security best practices
- Verify every signature -- never process a webhook without first verifying the
x-chowdeck-signatureheader - Use HTTPS -- always use an HTTPS endpoint to encrypt webhook traffic
- Handle retries -- design your endpoint to be idempotent since events may be delivered more than once
- Use environment variables -- store your webhook secret as an environment variable, never hardcode it
Updated 19 days ago