Timeouts and Retries for Webhooks
- Connection timeout: 3 seconds
- Response timeout: 15 seconds
- Retries: Automatic retries are performed for failed deliveries based on retry schedule with exponential backoff over ca. 24 hours
- Logs: Failed webhooks are logged and can be monitored
Monitoring Webhook Logs
View Webhook Logs
GET /api/webhooks/{webhook_id}/logsView Specific Log Entry
GET /api/webhooks/logs/{webhookLog_id}These endpoints allow you to monitor webhook delivery status, debug failures, and track retry attempts.
Webhook Security
Verifying Webhook Authenticity
Always verify incoming webhooks using the Rackbeat-Webhook-Token header:
$receivedToken = $_SERVER['HTTP_RACKBEAT_WEBHOOK_TOKEN'];
$expectedToken = 'your_stored_webhook_token';
if (!hash_equals($expectedToken, $receivedToken)) {
http_response_code(401);
exit('Unauthorized');
}Best Practices
- Store tokens securely: Never expose webhook tokens in client-side code
- Validate payloads: Always validate the structure and content of incoming webhooks
- Handle idempotency: The same event might be delivered multiple times
- Respond quickly: Return a 2xx status code as quickly as possible
- Process asynchronously: Queue webhook processing for heavy operations
Suppressing Webhooks
If you need to perform operations without triggering webhooks (e.g., during data imports), you can suppress them:
Query Parameter
POST /api/orders?suppress_webhooks=trueRequest Body
{
"suppress_webhooks": true,
"name": "Test Order"
}Error Handling
Common HTTP Status Codes
| Code | Description |
|---|---|
| 201 | Webhook created successfully |
| 200 | Webhook retrieved/updated successfully |
| 400 | Invalid request parameters |
| 401 | Authentication required |
| 403 | Access denied |
| 404 | Webhook not found |
| 422 | Validation errors |