Webhooks

Webhooks are a way to notify your application when an event occurs, such as a new order. They allow for deeper e-commerce integration of your shopping cart.

Snipcart will send you a POST to an URL that you can provide in the dashboard.

Configure webhook URL

To configure this setting, first log into the Snipcart dashboard. In the right-sided Account menu, you will see Webhooks under Store configurations.

The URL you provide must be an absolute URL, e.g. https://myapplication.com/webhooks

We present examples on how to consume Webhook requests further down this entry.

Secure your Webhook endpoint

If your data is protected and you want to make sure the request is coming from Snipcart, you can use the X-Snipcart-RequestToken header. We add this header to each request made to an external website. This is also true for webhooks requests. You can then use this token and call back our API—think of it as a handshake.

The endpoint you'll need to call is: https://app.snipcart.com/api/requestvalidation/{token}.

Here's an example in PHP

protected function validateRequest($data)
{
    if (!isset($_SERVER['HTTP_X_SNIPCART_REQUESTTOKEN'])) {
        throw new Exception('Invalid request: no request token');
    }
    $requestToken = $_SERVER['HTTP_X_SNIPCART_REQUESTTOKEN'];
    $g = new Gateway();
    $g->init('https://app.snipcart.com/api/requestvalidation/' . $requestToken);
    $g->setopt('GET', 1);
    $g->setopt(CURLOPT_USERPWD, eventSnipcart::SNIPCART_API_KEY . ':');
    $g->setopt(CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
    $g->setopt('HTTPHEADER', array('Accept: application/json'));
    $response = $g->exec();
    $status = $g->getInfoLast();

    if (empty($response) || $status['http_code'] != 200) {
        throw new Exception('Invalid request: no response');
    }

    $response = @json_decode($response);
    if (!$response) {
        throw new Exception('Invalid request: response not json');
    }
    if ($response->token !== $requestToken) {
        throw new Exception('Invalid request: invalid token');
    }
    return true;
}

Another example in C#

private bool RequestIsValid(HttpRequestBase request)
{
    var requestToken = Request.Headers["X-Snipcart-RequestToken"];

    if (requestToken == null)
        return false;

    var client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", "SECRET_API_KEY:".ToBase64());
    client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

    var response = client.GetAsync("https://app.snipcart.com/api/requestvalidation/" + requestToken).Result;

    var content = response.Content.ReadAsStringAsync().Result;
    var json = JsonConvert.DeserializeObject<ValidationToken>(content);

    if (!json.Resource.EndsWith("webhooks/receive") ||
        string.IsNullOrWhiteSpace(json.Token) ||
        !json.Token.Equals(requestToken, StringComparison.InvariantCultureIgnoreCase))
        return false;

    return response.IsSuccessStatusCode;
}

public class ValidationToken
{
    public string Token { get; set; }
    public string Resource { get; set; }
}