Webhooks and Events
Webhooks
Spaaza provides webhooks and event notifications which can post a standard JSON object to an external API endpoint. Webhooks are triggered by events in Spaaza and are commonly used to trigger another event in an external system - for example triggering an email to be sent when a customer receives a voucher.
Webhook format
A webhook or event notification is a POST that Spaaza sends to a specific URL. The body of the POST is JSON that includes the object.
As with API endpoints, Spaaza may add fields containing new information to the JSON body of webhooks and event notifications. Spaaza will not remove any fields or change the field type of existing fields in webhooks without prior notification.
Configuring webhooks
Some, but not all, webhooks can be configured as "triggers" in Console. Whenever the relevant event occurs we send a simple POST request to the URL. The body of the POST is JSON that includes the object.
We currently support triggers to the following services:
- Standard webhook (a webhook of standard format sent as a POST to a URL of your choosing)
- Klaviyo
- Mailchimp (Mandrill)
- Shopify
Other webhooks and notifications can be configured manually by our team so please get in touch if you would like us to set one up for you.
Verifying webhooks are from Spaaza
So that you can verify that the POST originates from Spaaza we provide a signature in a request header (X-Spaaza-Hmac-SHA256).
The value of the header is a base64-encoded HMAC-SHA256 hash of the whole body of the request using a shared secret. Your code to handle the event would need to recreate the signature using the shared secret and compare it to the value in the header.
Signature verification is available for webhooks of type https. To use it, first create a webhook signature key using the add-webhook-signature endpoint, and then link it to your webhook configuration using the webhook_signature_id parameter when creating or updating a webhook with the add-webhook or alter-webhook endpoints.
How HMAC signature verification works
- When a webhook is triggered, Spaaza computes an HMAC-SHA256 hash of the JSON payload using the webhook signature key as the secret.
- The hash is base64-encoded and sent as the
X-Spaaza-Hmac-SHA256header. - When you receive the webhook, recompute the HMAC-SHA256 hash of the raw request body using the same shared secret key, base64-encode it, and compare it to the value in the header.
If the values match, the webhook is authentic and has not been tampered with in transit.
Available webhook events
The following webhook events are available in Spaaza:
| Event name | Description |
|---|---|
shopper.opted-in | Triggered when a user opts in to the loyalty programme |
shopper.opted-out | Triggered when a user opts out of the loyalty programme |
shopper.req-pwd-reset | Triggered when a user requests a password reset |
shopper.altered | Triggered when a user's profile is altered |
shopper.notification | Triggered as a result of a send-notification request |
shopper.joined-mail-list | Triggered when a user joins the mailing list |
shopper.transaction | Triggered when a basket transaction is completed |
shopper.loyalty-level-changed | Triggered when a user's loyalty level changes |
shopper.voucher-issued | Triggered when a voucher is issued to a user |
shopper.voucher-unclaimed | Triggered when a voucher is unclaimed |
shopper.voucher-claimed | Triggered when a voucher is claimed by a user |
shopper.voucher-redeemed | Triggered when a voucher is redeemed |
shopper.voucher-deleted | Triggered when a voucher is deleted |
shopper.voucher-expiring | Triggered when a voucher is approaching its expiry date |
shopper.points-mutation | Triggered when a points or wallet balance mutation occurs |
Webhook management API endpoints
The following API endpoints are available for managing webhook configurations and webhook signature keys:
Webhook configuration endpoints
- add-webhook - Create a new webhook configuration
- alter-webhook - Update an existing webhook configuration
- get-webhook - Retrieve a single webhook configuration
- get-webhooks - List webhook configurations for a chain
- delete-webhook - Delete a webhook configuration
Webhook signature endpoints
- add-webhook-signature - Create a new webhook signature key
- get-webhook-signature - Retrieve a single webhook signature key
- get-webhook-signatures - List webhook signature keys for a chain
- delete-webhook-signature - Delete a webhook signature key