Getting Started

You can create webhooks either on your Workflows page or via the POST webhooks/subscribe endpoint.

A webhook event will be considered successful if the webhook URL returns a 200 HTTP response.

Verifying Signatures

Each webhook event sent by Zylvie is signed via a Hash-based Message Authentication Code (HMAC) using the workflow secret key.

We generate a unique secret key for each workflow automation that you create, which you can obtain from your Edit Workflow page.

The HMAC-SHA1 algorithm is used to generate the webhook payload signature, which is passed along with each request in the headers as Zylvie-Signature.

Code Examples

You may use these follow code examples to verify webhook signatures, so you know for sure that it's coming from us:

1. Python

         
           WEBHOOK_SIGNING_SECRET = 'webhook signing secret'
   
           def verify_signature(request_body, signature):
               digest = hmac.new(bytes(WEBHOOK_SIGNING_SECRET, 'UTF-8'), request_body, hashlib.sha1).hexdigest()
               return signature == digest
   
           if not verify_signature(request.body, request.META['HTTP_ZYLVIE_SIGNATURE']):
               # verification failed
   
           # verification success
         
       

2. PHP

         
           const WEBHOOK_SIGNING_SECRET = 'webhook signing secret';
   
           function verifySignature ($body, $signature) {
               $digest = hash_hmac('sha1', $body, WEBHOOK_SIGNING_SECRET);
               return $signature === $digest ;
           }
   
           if (!verifySignature(file_get_contents('php://input'), $_SERVER['HTTP_ZYLVIE_SIGNATURE'])) {
               // verification failed
           }
           // verification success
         
       

3. Ruby

         
           WEBHOOK_SIGNING_SECRET = 'webhook signing secret';
   
           post '/payload' do
               request.body.rewind
               body = request.body.read
               signature = request.env['HTTP_ZYLVIE_SIGNATURE']
               unless verifySignature(body, signature))
                   // verification failed
               end
               // verification success
           end
   
           def verifySignature(body, signature)
               digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), WEBHOOK_SIGNING_SECRET, body)
               return digest == signature
           end
         
       

4. Node.js

         
           const WEBHOOK_SIGNING_SECRET = 'webhook signing secret';
           const crypto = require('crypto');
   
           function verifySignature (body, signature) {
               const digest = crypto
                   .createHmac('sha1', WEBHOOK_SIGNING_SECRET)
                   .update(body)
                   .digest('hex');
               return signature === digest;
           };
   
           app.post('/webhooks', function (req, res, next) {
               if (!verifySignature(req.rawBody, req.headers['Zylvie-Signature'])) {
                   // verification failed
               }
               // verification success
           });
         
       

Retry Policy

A webhook call will be retried for up to 3 times if the HTTP endpoint responds with any status code other than 200.