Webhook

A webhook in web development is a method of augmenting or altering the behavior of a web page or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users and developers who may not necessarily be affiliated with the originating website or application. The term "webhook" was coined by Jeff Lindsay in 2007 from the computer programming term hook.^[1]

The format is usually JSON. The request is done as a HTTP POST request.

Webhooks are "user-defined HTTP callbacks".^[2] They are usually triggered by some event, such as pushing code to a repository^[3] or a comment being posted to a blog.^[4] When that event occurs, the source site makes an HTTP request to the URL configured for the webhook. Users can configure them to cause events on one site to invoke behavior on another.

Common uses are to trigger builds with continuous integration systems^[5] or to notify bug tracking systems.^[6] Because webhooks use HTTP, they can be integrated into web services without adding new infrastructure.^[7]

When the client (the originating website or application) makes a webhook call to the third-party user's server, the incoming POST request should be authenticated to avoid a spoofing attack and its timestamp verified to avoid a replay attack.^[8] Different techniques to authenticate the client are used:

• HTTP basic authentication can be used to authenticate the client.^[9]

• The webhook can include information about what type of event it is, and a shared secret or digital signature to verify the webhook.

• An HMAC signature can be included as a HTTP header. GitHub,^[10] Stripe^[11] and Facebook^[12] use this technique.

• Mutual TLS authentication can be used when the connection is established. The endpoint (the server) can then verify the client's certificate.^[13]

The sender may choose to keep a constant list of IP addresses from which requests will be sent. This is not a sufficient security measure on its own, but it is useful for when the receiving endpoint is behind a firewall or NAT.

• Application programming interface
• Open API
• Mashup (web application hybrid)

• Working with Webhooks

Xero Developer Home Ways to Build Docs Community

Sign up Log in

Xero API webhooks What are webhooks? Webhooks allow you to subscribe to certain events that happen in Xero. When one of these events are triggered we’ll send a HTTP POST payload to the webhook’s configured URL.

Webhooks are configured on a per-app basis and we will send you events for every Xero organisation connected to the app. Webhooks can be created on all apps, although you would need to use the offline_access scope in order to maintain the connection longer than 30 minutes.

↪ Note: There should be at least one organisation connected to the app in order to receive the events payload. This Postman tutorial can guide you through connecting an organisation.

Events When you configure a webhook you choose the category of events you’d like to subscribe to. Within each category there are certain types of events that can happen (e.g. create, update).

The available events are:

Event Category Event Type Description Contact CREATE A new contact has been created UPDATE An existing contact has been updated (including when contacts are archived) Invoice CREATE A new invoice has been created UPDATE An existing invoice has been updated (including when invoices are archived) Subscription CREATE A new Xero App Store subscription has been created UPDATE An existing Xero App Store Subscription has been updated e.g. upgrade/downgrade/cancel/renew Payloads The JSON payload will be a consistent format for all categories of events. It will consist of:

The Events array The details of the events that you’ve subscribed to Last Event Sequence The sequence number of the last event in this payload First Event Sequence The sequence number of the first event in this payload Entropy A random string to make the payload more cryptographically secure Each Event will consist of:

Resource URL The URL to retrieve the resource that has changed Resource ID The ID of the resource that has changed (e.g. ContactID) Event Date UTC The date and time that event occurred (UTC time) Event Type The type of event of that occurred (e.g. Update) Event Category The category of event that occurred (e.g. CONTACT). You will only retrieve events from categories that your webhook is subscribed to Tenant ID The ID of the tenant that the event happened in relation to (OrganisationID or ApplicationID) Tenant Type The type of tenant, depending on the type of event it will be one of ORGANISATION (for Contact or Invoice events), or APPLICATION (for Subscription events) Example payload {

  "events": [
     {
        "resourceUrl": "https://api.xero.com/api.xro/2.0/Contacts/717f2bfc-c6d4-41fd-b238-3f2f0c0cf777",
        "resourceId": "717f2bfc-c6d4-41fd-b238-3f2f0c0cf777",
        "eventDateUtc": "2017-06-21T01:15:39.902",
        "eventType": "Update",
        "eventCategory": "CONTACT",
        "tenantId": "c2cc9b6e-9458-4c7d-93cc-f02b81b0594f",
        "tenantType": "ORGANISATION"
     }
  ],
  "lastEventSequence": 1,
  "firstEventSequence": 1,
  "entropy": "S0m3r4Nd0mt3xt"

}

copy code The x-xero-signature header A hashed signature of the payload is passed along in the headers of each request as x-xero-signature. This signature is used when doing an intent to receive validation.

Explore Xero's APIs Accounting Assets Bank feeds Files Finance API Xero Payroll Practice Manager Xero Projects WorkflowMax Xero HQ Xero Developer Home

Search Sign up Log in Build Grow with Xero Build for Clients Docs OAuth SDKs and tools API reference How-to guides Webhooks Community Forum archive Feature request Find a developer GitHub Media News Dev blog Roadmap API status Support Our team Contact us FAQ Twitter YouTube Instagram About Xero We are hiring! Terms of Service Xero ecosystem principles Navigated to Xero API webhooks