Webhooks Overview
Truto provides webhooks which can notify you of interesting events happening in your Truto account. They can also notify you about changes happening in the third party app integrations where Truto receives the webhook events from the integrations and proxies them to your endpoint in a unified format (coming soon).
Webhook endpoints
HTTPS only
All webhook endpoints need to be HTTPS and need to support POST method.
Security
SHA256 Signature
Every request made to a webhook endpoint has x-truto-signature header which contains the SHA256 HMAC of the request body being sent. This helps you make sure that the requests are originating from Truto. The SHA256 HMAC uses a secret string (UUID) which is shared with you when the webhook is created. See creating webhook endpoint.
To prevent replay attacks, you can check the created_at attribute of the request body and ignore the webhook event if it's longer than a certain timeframe, there is also a unique id in the request body for each webhook event.
Retries
Webhook endpoints need to respond with HTTP status code 200. In case of 4XX and 5XX staus codes, Truto will retry 3 times with exponential backoff of maximum 10 seconds before giving up.
Prolonged failures from a webhook endpoint will automatically make the webhook endpoint inactive. Inactive webhooks have the is_active attribute to false. Inactive webhook endpoints will not receive any further events. We'll notify you via email when a webhook is marked as inactive.
Logging (coming soon)
All the webhook deliveries will be logged and will be available via an API.