Documentation
    • Introduction
    • Webhook
    • Integrations
      • Hosted Checkout Integration
      • Nodejs
      • Wordpress
    • Create Checkout Session
      POST
    • Schemas
      • webhooks
        • Webhook | Order Created
        • Webhook | Order Abandoned
        • Webhook | Order Refunded
        • Webhook | Order Failed
      • Cart Session Request
      • Cart Session Response

    Webhook

    Webhooks can be managed on dasboard account provided by STRABL
    Integration and Config
    Secrets and configuration of webhook urls

    Generate webhook secret#

    You can generate a webhook secret from the Dashboard. The secret is displayed only once, so be sure to store it securely when it is created.
    Important: If you regenerate the webhook secret, all future webhook signatures will be generated using the new secret. Any webhook verification logic still using the old secret will fail, and previously generated signatures cannot be validated with the new secret.
    Every outbound webhook request from Strabl includes three headers:
    HeaderExampleDescription
    X-Webhook-Id3fa6c2e1-...Unique event ID — use for idempotency
    X-Webhook-Timestamp1747123456Unix epoch seconds when the request was signed
    X-Webhook-Signaturev1=a3f9...v1= prefix + HMAC-SHA256 hex digest

    Signing Algorithm#

    Your webhook secret is shown once when you create a webhook endpoint in the Strabl dashboard.
    Always:
    Read the raw request body before any JSON parsing — parsers may alter whitespace
    Reject requests where |now - X-Webhook-Timestamp| > 300 (5 minutes) to block replay attacks
    Use constant-time comparison to prevent timing attacks

    Event Types#

    webhookEventTypeFired when
    order_createdA new order is placed
    order_updatedAn order is marked paid or fulfilled
    order_failedPayment fails
    order_refundedA refund is issued
    order_abandonedA cart is abandoned
    order_chargebackA chargeback is opened

    Responding to Webhooks#

    Return HTTP 2xx within 10 seconds
    Strabl retries once on non-2xx or timeout
    Use X-Webhook-Id to deduplicate — the same event may be delivered more than once

    Code Samples#

    Java
    Spring MVC
    PHP
    Vanilla PHP
    Laravel
    Python
    Flask
    Django

    Webhook Event Payload#

    {
  "eventId": "3fa6c2e1-4b2d-4f3a-9c1e-8d7f2a1b5c3d",
  "webhookEventType": "order_created",
  "platformUuid": "plt-abc123",
  "orderUuid": "ord-xyz789",
  "orderShortCode": "SOR-20240514-001",
  "publishedAt": "2024-05-14T10:30:00Z",
  "payload": {}
}
    Modified at 2026-06-18 13:58:58
    Previous
    Introduction
    Next
    Hosted Checkout Integration
    Built with