Note
The Webhooks feature is available to everyone from version 23.2.3 onwards.
As the feature is currently in the beta phase, we are monitoring it closely and are making sure that all our events are properly triggered. Have you experienced any issues? Please reach out to us at: api[at]xentral.com.
A webhook allows you to receive information about events happening in Xentral in an external system. For example, you could get a notification in your application every time a new sales order is created. The information is sent to your external system via an HTTP POST request.
Tip
To learn more technical information about webhooks and possible events, check out the developer documentation.
Note
Creating webhooks requires administrator privileges.
To create a webhook:
-
Go to Settings > Integrations > Webhooks. You will see a list of all webhooks in active use.
-
Click on + Create new Webhook. If there are no webhooks active, you will find the button in the middle of the screen. Otherwise you will find it on the top right of your list.
-
Enter a unique Name for your webhook. The name should not exceed 100 characters.
-
Enter the URL endpoint that should receive information from the webhook. Only secure https URLs are allowed. The URL should not exceed 255 characters.
-
Take note of the Signature key. It will be copied to your clipboard, when you finish creating the webhook. This field is automatically filled with a random 20 character string which serves as the signature key. If you prefer, you can overwrite it with your own string that consists of 20 to 255 characters or you can copy it to clipboard yourself by clicking in the Signature Key field and copying the string.
Important
The signature key enables the receiving system to ensure that the information really is from Xentral . Don't show this key publicly or hardcode it into your system.
You can find out how you can use the signature key to check the signature in the linked section: Check signature of your webhook.
-
Select an Event. It is also possible to select multiple events, if needed. The webhook sends out information to the endpoint every time one of these events happen.
-
Click Create. The signature key will be copied to clipboard and appear on screen one last time. Click if you want to make sure the key has been copied.
-
Close the window.
Your new webhook is displayed in the list of active webhooks. In the overview you can quickly see the URL endpoints and the attached events for every webhook you created.
All webhooks will be listed under Settings > Integrations > Webhooks. When you click Edit you have two options:
-
Edit settings - You can change the name, URL endpoint and signature key as well as add or remove events from the webhook. If you change the signature key you must also update it in your external application.
-
Delete webhook - Click on Delete webhook below the list of events and confirm the deletion request. The external system won't receive new information about events in Xentral anymore.
The header of the HTTP request of the webhook consists of the xentral-signature
and the xentral-request-timestamp
.
You can calculate the xentral-signature
as follows:
-
Create the message out of the
RequestBody
and thexentral-request-timestamp
. For this you need to write down theRequestBody
and then append thexentral-request-timestamp
without adding any spaces or similar. -
Create a
HMAC
of the message with aSHA-256
hash function and use the signature key you defined when creating the webhook as theSecret Key
. -
Compare the hexadecimal output of the HMAC with the
xentral-signature
in the header of the HTTP request. They should be identical.
We can see how this works in the following example where we use the following values:
-
RequestBody
: {"type":"com.xentral.salesOrder.protocolCreated.v1","body":{"createdAt":"2024-05-28T17:30:07+02:00","salesOrderId":169,"salesOrderProtocolId":586}} -
xentral-request-timestamp
: 1716910210 -
Secret Key
: e4nRJ04Ss2m3EkQxn19V
This leads to the following message:
Message: {"type":"com.xentral.salesOrder.protocolCreated.v1","body":{"createdAt":"2024-05-28T17:30:07+02:00","salesOrderId":169,"salesOrderProtocolId":586}}1716910210
The message and the Secret Key
lead to the following xentral-signature
in hexadecimal code when using a HMAC
with SHA-256
: 67b9db5fbe8add6c5b073f42091f593e994de32c83741573015442c154214bcf.