Webhooks

Receive real-time notifications when events occur in your CRM.

Overview

Webhooks send HTTP POST requests to your endpoint when events happen:

Client created or updated
Invoice created, sent, or paid
Quote accepted or rejected
And more...

Creating a Webhook

Go to Settings → Integrations → Webhooks
Click Create Webhook
Configure:
- URL: Your endpoint URL (must be HTTPS)
- Event Types: Select events to subscribe to
- Status: Active or Inactive
Click Save
Copy the Signing Secret (shown only once)

Available Events

Client Events

client.created - New client created
client.updated - Client information updated

Invoice Events

invoice.created - New invoice created
invoice.updated - Invoice updated
invoice.sent - Invoice sent to client
invoice.paid - Invoice marked as paid
invoice.status_updated - Invoice status changed

Quote Events

quote.created - New quote created
quote.sent - Quote sent to client
quote.accepted - Quote accepted by client
quote.rejected - Quote rejected by client

Webhook Payload

Structure

json

{
  "event": "client.created",
  "timestamp": "2024-12-13T10:00:00Z",
  "data": {
    "id": "uuid",
    "company_name": "Example Corp",
    "email": "contact@example.com"
  }
}

Event Field

The event field indicates the event type:

Matches the event type you subscribed to
Use to route to appropriate handlers

Data Field

The data field contains the resource:

Full resource object
Same structure as API responses
Includes all fields

Signature Verification

Why Verify?

Always verify webhook signatures to ensure:

Requests come from autoch.at CRM
Data hasn't been tampered with
Security and integrity

HMAC Signature

Webhooks include an HMAC-SHA256 signature:

http

X-Webhook-Signature: sha256=signature_here

Verification Process

Get the signing secret from webhook settings
Create signature from request body
Compare with X-Webhook-Signature header
Reject if signatures don't match

Example (Node.js)

javascript

const crypto = require('crypto');

function verifyWebhook(body, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  const digest = hmac.update(JSON.stringify(body)).digest('hex');
  const expectedSignature = `sha256=${digest}`;
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

Example (Python)

python

import hmac
import hashlib
import json

def verify_webhook(body, signature, secret):
    digest = hmac.new(
        secret.encode('utf-8'),
        json.dumps(body).encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    expected_signature = f'sha256={digest}'
    
    return hmac.compare_digest(signature, expected_signature)

Retry Logic

Automatic Retries

Webhook delivery includes automatic retries:

Exponential backoff: 1m, 5m, 30m, 2h, 12h
Maximum 5 attempts
Failed after max attempts

Response Requirements

Your endpoint should:

Return 200 OK for successful processing
Return 4xx for client errors (no retry)
Return 5xx for server errors (will retry)
Process within 30 seconds

Retry Headers

http

X-Webhook-Attempt: 1
X-Webhook-Retry-After: 60

Testing Webhooks

Test Button

Open webhook in settings
Click Test Webhook
System sends test event
Check your endpoint logs

Test Payload

Test events use this structure:

json

{
  "event": "webhook.test",
  "timestamp": "2024-12-13T10:00:00Z",
  "data": {
    "message": "Test webhook"
  }
}

Webhook Logs

Viewing Logs

Open webhook in settings
Click View Logs
See delivery history:
- Timestamp
- Event type
- Status (delivered, failed, pending)
- Response code
- Error messages

Log Details

Each log entry shows:

Request sent
Response received
Retry attempts
Error details

Best Practices

Endpoint Requirements

Use HTTPS: Required for security
Return quickly: Process asynchronously if needed
Handle errors: Return appropriate status codes
Log everything: Track all webhook deliveries
Idempotent processing: Handle duplicate events

Security

Verify signatures: Always verify HMAC signatures
Use HTTPS: Never use HTTP
Validate data: Check data before processing
Rate limiting: Implement rate limiting on your endpoint
Monitor logs: Watch for suspicious activity

Error Handling

Return 200 quickly: Acknowledge receipt
Process asynchronously: Don't block on processing
Retry logic: Implement your own retry if needed
Dead letter queue: Store failed events for review

Webhook Status

Active

Webhooks are delivered
Events are sent
Monitor logs regularly

Inactive

Webhooks are paused
No events sent
Can be reactivated

Next Steps

API Documentation - Learn about the API
Connectors - Set up connectors
WordPress Plugin - Integrate with WooCommerce

Webhooks ​

Overview ​

Creating a Webhook ​

Available Events ​

Client Events ​

Invoice Events ​

Quote Events ​

Webhook Payload ​

Structure ​

Event Field ​

Data Field ​

Signature Verification ​

Why Verify? ​

HMAC Signature ​

Verification Process ​

Example (Node.js) ​

Example (Python) ​

Retry Logic ​

Automatic Retries ​

Response Requirements ​

Retry Headers ​

Testing Webhooks ​

Test Button ​

Test Payload ​

Webhook Logs ​

Viewing Logs ​

Log Details ​

Best Practices ​

Endpoint Requirements ​

Security ​

Error Handling ​

Webhook Status ​

Active ​

Inactive ​

Next Steps ​