Webhooks

In this guide, we will look at how to consume and verify webhooks sent by Reloadify. With webhooks, your app can receive real-time notifications when events occur, such as a profile updating or an order being placed.

Configuring webhooks

To configure webhooks, navigate to the webhook settings in the Reloadify dashboard. You can set a webhook URL that Reloadify will send POST requests to when events occur.

You can configure your webhook URL in the Reloadify dashboard under your mailing settings.

Consuming webhooks

When your app receives a webhook request from Reloadify, the payload contains a JSON body with the event data. Always verify the webhook signature before processing the payload.

Each webhook request includes a Webhook-Signature header containing an HMAC SHA-256 signature. You should verify this signature using your webhook secret to ensure the request is authentic.

Example webhook payload

{
  "event": "profile.updated",
  "data": {
    "id": "prf_a1b2c3",
    "email": "jane@example.com",
    "first_name": "Jane",
    "last_name": "Doe",
    "updated_at": "2024-01-15T10:30:00Z"
  }
}

Verifying webhook signatures

All webhooks use an HMAC SHA-256 signature sent in the Webhook-Signature header for security and verification. You should always verify this signature before processing a webhook payload.

Verifying a webhook signature

const crypto = require('crypto')

const signature = req.headers['webhook-signature']
const payload = JSON.stringify(req.body)
const hash = crypto
  .createHmac('sha256', webhookSecret)
  .update(payload)
  .digest('hex')

if (hash === signature) {
  // Request is verified
} else {
  // Request could not be verified
}

If your generated signature matches the Webhook-Signature header, you can be sure that the request was truly sent by Reloadify. Keep your webhook secret safe and never expose it in client-side code.

Was this page helpful?