# Webhooks
# Overview
Webhooks enable you to register your application's endpoints and listen for events triggered in Tratta. By subscribing to a webhook, your app can execute code immediately after specific events occur in Tratta, reducing the need for periodic API calls to check their status.
For instance, you can utilize webhooks to initiate an action in your app when a debt account is created or charged. Employing webhook subscriptions allows for fewer overall API calls, ensuring that your apps are more efficient and up-to-date.
# Webhook Anatomy
Upon subscribing to a webhook event, Tratta sends a webhook notification each time an event for that topic occurs. This notification contains a JSON payload and HTTP headers that provide context.
A customer.create webhook, for example, includes the following headers:
- X-Tratta-Event-Name = customer.create
- X-Tratta-Webhook-ID = xxxx
is used to identify unique webhooks, - X-Tratta-Signature-256 = xxxx
is used toverify webhooks
# Receiving a Webhook
Tratta sends an HTTP POST request to the specified URL each time the registered event occurs. The request's POST parameters contain the JSON data relevant to the event that triggered the request.
# Responding to a Webhook
Your webhook acknowledges data receipt by sending response with 2XX status code. Any response outside of the 2XX range indicates that you didn't receive the webhook. Tratta doesn't follow redirects for webhook notifications and considers them to be error responses.
# Retry Frequency
Tratta has implemented a 10 second timeout period and a retry period for webhook subscriptions. Tratta waits five seconds for a response to each request to a webhook. If there's no response, or an error is returned, Tratta retries sending the webhook three times with a 900-second delay between each attempt.
# Creating a Webhook
POST https://<org-uuid>.production.tratta.io/api/v1/webhooks
curl https://<org-uuid>.production.tratta.io/api/v1/webhooks \
-H "Authorization: Bearer eyJ0eXA3asdk..." \
-d url="webhook-url" \
-d "events[]=event-name"
# Parameters
url required|url
URL of your application's webhook that Tratta will send events to.
events required|array|in:supported events
Array of supported events you want to listen to.
Supported events:
charge.succeededcharge.failedcustomer.createcustomer.updatecustomer.deletedebt-account.createdebt-account.updatedebt-account.deletelocation.createlocation.updatelocation.deletepayment-plan.createpayment-plan.updatepayment-plan.deletedebt-account-dispute.createdebt-account-dispute.updateexternal-charge.createscheduled-charge.createscheduled-charge.updatescheduled-charge.deletetransaction.returned-achtransaction.settled-achimport.complete
secret required|string|min:16
A secret token (min. 16 characters) used to create a hash signature for each payload.
# Returns
A json with data property that contains created webhook object.
{
"id": "string",
"events": "array"
}id
UUID of the webhook.
# Update Webhook
Update a webhook's configuration by sending a PUT request to the following endpoint:
PUT https://<org-uuid>.production.tratta.io/api/v1/webhooks/{id}
curl https://<org-uuid>.production.tratta.io/api/v1/webhooks/{id} \
-H "Authorization: Bearer eyJ0eXA3asdk..." \
-d url="webhook-url" \
-d "events[]=event-name"
-X PUT
# Parameters
url required|url
The URL to which Tratta will send events.
events array|in:supported events
The list of supported events you want to subscribe to. Existing events will be replaced with the new list provided.
Supported events:
charge.succeededcharge.failedcustomer.createcustomer.updatecustomer.deletedebt-account.createdebt-account.updatedebt-account.deletelocation.createlocation.updatelocation.deletepayment-plan.createpayment-plan.updatepayment-plan.deletedebt-account-dispute.createdebt-account-dispute.updateexternal-charge.createscheduled-charge.createscheduled-charge.updatescheduled-charge.deletetransaction.returned-achtransaction.settled-achimport.complete
secret required|string|min:16
A secret token used for creating a hash signature for each payload.
# Returns
A json with data property that contains created webhook object.
{
"id": "string",
"events": "array"
}# Get Webhook
Get a webhook's information by sending a GET request to the following endpoint:
GET https://<org-uuid>.production.tratta.io/api/v1/webhooks/{id}
curl https://<org-uuid>.production.tratta.io/api/v1/webhooks/{id} \
-H "Authorization: Bearer eyJ0eXA3asdk..."# Returns
A json with data property that contains created webhook object.
{
"id": "string",
"events": "array"
}id string
UUID of the webhook event.
events array
Array of events your webhook listens to.
# List Webhooks
Get a list of all webhooks by sending a GET request to the following endpoint:
GET https://<org-uuid>.production.tratta.io/api/v1/webhooks
curl https://<org-uuid>.production.tratta.io/api/v1/webhooks/ \
-H "Authorization: Bearer eyJ0eXA3asdk..."# Returns
A JSON object containing the updated webhook information:
A json with data property that contains array of webhook objects.
{
"id": "string",
"events": "array"
}id string
UUID of the webhook.
events array
Array of events your webhook listens to.
# Delete Webhook
Delete a webhook by sending a DELETE request to the following endpoint:
DELETE https://<org-uuid>.production.tratta.io/api/v1/webhooks/{id}
curl https://<org-uuid>.production.tratta.io/api/v1/webhooks \
-H "Authorization: Bearer eyJ0eXA3asdk..." \
-X DELETE
# Returns
{
"success": "boolean"
}# Securing Webhooks
Tratta uses the provided secret token to create a hash signature for each payload. This signature is included in the header of each webhook request as X-Tratta-Signature-256.
# Pseudo code
secret = secret provided when creating webhook
payload = string of post body payload of request
signature = hmac_hex_digest('sha256', secret, payload)
Python
import hmac
import hashlib
secret = "123412341234123412341234"
payload = '{"data":{"id":"ccd912ca-134b-4743-9ab8-1561d6143caa",
"name":"Test customer","email":"test@email.com","phone":null,"external_id":null}}'
secret = bytes(secret, 'UTF-8')
payload = bytes(payload, 'UTF-8')
h = hmac.new(secret, payload, hashlib.sha256)
signature = h.hexdigest()
# Encrypting Payload
Some webhook events may contain sensitive data that should not be transmitted in plain text. In these cases, webhook payloads will be encrypted using the AES 128 CBC (opens new window)CBC NIST standard. The secret provided when [creating a webhook (/webhooks.html#create-webhook) serves as the shared secret.
Events with encrypted payloads:
external-charge.create
Webhook payload is encrypted with implementation compatible with https://github.com/tasos-py/AES-Encryption-Classes (opens new window).
# Testing Multiple Webhooks
After registering your application's endpoint and creating a webhook, you can trigger any of the Supported Events you've subscribed to. The trigger generates fake data that is sent to your endpoint in the same manner as a webhook. Since this data is not persisted and is only for testing purposes, id properties will be replaced with null.
POST https://<org-uuid>.production.tratta.io/api/v1/webhooks/trigger
curl https://<org-uuid>.production.tratta.io/api/v1/webhooks/trigger \
-H "Authorization: Bearer eyJ0eXA3asdk..." \
-d "events[]=customer.create" \
-d "events[]=customer.update"
# Returns
The response includes successfully dispatched events in the dispatched array. Events you attempted to trigger but did not register your webhook to listen to are included in the not_dispatched array.
{
"dispatched": {
"https://weebhook-url": [
"location.create",
"customer.create",
"debt-account.create"
]
},
"not_dispatched": []
}
# Testing Single Webhooks
POST https://<org-uuid>.production.tratta.io/api/v1/webhooks/trigger/:webhook-uuid
curl https://<org-uuid>.production.tratta.io/api/v1/webhooks/trigger/:webhook-uuid \
-H "Authorization: Bearer eyJ0eXA3asdk..." \
-d "events[]=customer.create" \
-d "events[]=customer.update"