Webhooks (closed beta)

In this guide, we will look at how to register and consume webhooks to integrate your app with Offerte Adviseur. With webhooks, your app can know when something happens in Offerte Adviseur, such as status updates for leads or newly created invoices.

Registering webhooks

To register a new webhook, you need to have a URL in your app that Offerte Adviseur can call. You can configure a new webhook from the Offerte Adviseur dashboard under API settings. Give your webhook a name, pick the events you want to listen for, and add your URL.

Now, whenever something of interest happens, a webhook is fired off by Offerte Adviseur. In the next section, we'll look at how to consume webhooks.

Consuming webhooks

When your app receives a webhook request from Offerte Adviseur, check the type attribute to see what event caused it. The first part of the event type will tell you the payload type, e.g., a lead, invoice, etc.

Example webhook payload

{
  "id": "a056V7R7NmNRjl70",
  "type": "lead.created",
  "payload": {
    "id": 12345
    // ...
  }
}

In the example above, a lead was created, and the payload type is a lead.

See all event types

Event types

  • Name
    lead.created
    Description

    A new lead was created.

  • Name
    lead.sold
    Description

    A lead was marked as sold.

  • Name
    lead.invoiced
    Description

    An invoice was created for a lead.

  • Name
    lead.paid
    Description

    A lead's invoice was paid.

  • Name
    invoice.created
    Description

    A new invoice was created.

  • Name
    invoice.paid
    Description

    An invoice was successfully paid.

Example payload

{
  "id": "a056V7R7NmNRjl70",
  "type": "lead.created",
  "payload": {
    "lead_id": 12345,
    "website_code": "1cd440df63f796a1f69da652cd0209",
    "subcategory_id": "1",
    "created_at": "2024-03-01T12:00:00Z"
  }
}

Security

To know for sure that a webhook was, in fact, sent by Offerte Adviseur instead of a malicious actor, you can verify the request signature. Each webhook request contains a header named x-offerte-adviseur-signature, and you can verify this signature by using your secret webhook key. The signature is an HMAC hash of the request payload hashed using your secret key. Here is an example of how to verify the signature in your app:

Verifying a request

$signature = $request['headers']['x-offerte-adviseur-signature'];
$hash = hash_hmac('sha256', $payload, $secret);

if (hash_equals($hash, $signature)) {
// Request is verified
} else {
// Request could not be verified
}

If your generated signature matches the x-offerte-adviseur-signature header, you can be sure that the request was truly coming from Offerte Adviseur. It's essential to keep your secret webhook key safe — otherwise, you can no longer be sure that a given webhook was sent by Offerte Adviseur. Don't commit your secret webhook key to GitHub!

Was this page helpful?