Image Description Image Description

No Results

  • Support
Logo Logo v1.0
  • Basics
  • Getting started
  • Get authenticating user
  • Products
  • Create a Product
  • License Keys
  • Verify a License Key
  • Redeem a License Key
  • Refund a License Key
  • Subscriptions
  • Verify a Subscription
  • Webhooks
  • Basics
  • Subscribe
  • Unsubscribe
  • Webhook Events
  • New sale
  • New lead
  • New affiliate sign-up
  • New subscription
  • Subscription cancellation

Webhook Basics

Getting Started

You can create webhooks either on your Workflows page or via the POST webhooks/subscribe endpoint.

A webhook event will be considered successful if the webhook URL returns a 200 HTTP response.

Verifying Signatures

Each webhook event sent by Zylvie is signed via a Hash-based Message Authentication Code (HMAC) using the workflow secret key.

We generate a unique secret key for each workflow automation that you create, which you can obtain from your Edit Workflow page.

The HMAC-SHA1 algorithm is used to generate the webhook payload signature, which is passed along with each request in the headers as Zylvie-Signature.

Code Examples

You may use these follow code examples to verify webhook signatures, so you know for sure that it's coming from us:

  1. Python

          
            WEBHOOK_SIGNING_SECRET = 'webhook signing secret'
    
            def verify_signature(request_body, signature):
                digest = hmac.new(bytes(WEBHOOK_SIGNING_SECRET, 'UTF-8'), request_body, hashlib.sha1).hexdigest()
                return signature == digest
    
            if not verify_signature(request.body, request.META['HTTP_ZYLVIE_SIGNATURE']):
                # verification failed
    
            # verification success
          
        
  2. PHP

          
            const WEBHOOK_SIGNING_SECRET = 'webhook signing secret';
    
            function verifySignature($webhookJson, $signature) {
                // Re-serialize the parsed JSON object
                $jsonString = json_encode($webhookJson);
                
                // Create HMAC-SHA1 digest of the re-serialized JSON
                $digest = hash_hmac('sha1', $jsonString, WEBHOOK_SIGNING_SECRET);
                
                return $signature === $digest;
            }
    
            // Read the raw request body
            $rawBody = file_get_contents('php://input');
    
            // Parse the JSON into an associative array
            $webhookJson = json_decode($rawBody, true);
    
            if (!verifySignature($webhookJson, $_SERVER['HTTP_ZYLVIE_SIGNATURE'])) {
                // verification failed
                http_response_code(400);
                echo "Signature verification failed";
                exit;
            }
            // verification success
          
        
  3. Ruby

          
            WEBHOOK_SIGNING_SECRET = 'webhook signing secret'
    
            post '/payload' do
              request.body.rewind
              body = request.body.read
              signature = request.env['HTTP_ZYLVIE_SIGNATURE']
              
              # Parse the JSON body
              webhook_json = JSON.parse(body)
              
              # Re-serialize the JSON object, matching the Python implementation
              json_string = JSON.generate(webhook_json)
              
              # Generate HMAC-SHA1 signature using the re-serialized JSON
              digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), WEBHOOK_SIGNING_SECRET, json_string)
              
              unless digest == signature
                # verification failed
                halt 400, "Signature verification failed"
              end
              # verification success
              # Continue processing...
            end
    
            def verifySignature(webhook_json, signature)
              # Convert webhook_json (already parsed object) to string
              json_string = JSON.generate(webhook_json)
              
              # Create the HMAC-SHA1 digest
              digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), WEBHOOK_SIGNING_SECRET, json_string)
              
              return digest == signature
            end
          
        
  4. Node.js

          
            const WEBHOOK_SIGNING_SECRET = 'webhook signing secret';
            const crypto = require('crypto');
    
            function verifySignature(jsonObject, signature) {
                const jsonString = JSON.stringify(jsonObject);
                const digest = crypto
                    .createHmac('sha1', WEBHOOK_SIGNING_SECRET)
                    .update(jsonString)
                    .digest('hex');
                return signature === digest;
            };
    
            app.post('/webhooks', function (req, res, next) {
                if (!verifySignature(req.body, req.headers['Zylvie-Signature'])) {
                    // verification failed
                }
                // verification success
            });
          
        

Retry Policy

A webhook call will be retried for up to 3 times if the HTTP endpoint responds with any status code other than 200.