SellApp
Guides

Dynamic Webhook Setup

Set up SellApp dynamic webhooks to generate product delivery content, validate HMAC signatures, and return stock updates.

SellApp's dynamic webhook sends a POST request to the webhook URL you enter on a product variant.

The POST request is sent as a JSON object when a customer successfully completes a payment, and contains all the relevant order data so your webhook can process the order programmatically.

Whatever value you return to us as a response to the above POST request can be passed along to the customer as the dynamic deliverable. Use dynamic webhooks when digital product delivery depends on your own system, such as generated accounts, custom keys, provisioning flows, or external stock.

Important

Use an HTTPS webhook endpoint in production so the order payload and signature cannot be intercepted.

Generate a webhook secret

Before proceeding, we strongly advise creating a webhook secret that you'll want to be using to verify and validate incoming webhook requests as legitimate.

If you don't do so, a malicious person could spoof requests and make it look like we're sending them, thus possibly resulting in your stock being drained.

Here's how to create a webhook secret:

  1. Navigate to your store's developers settings
  2. Click "Generate" in the "Webhook secret" section.
  3. The newly generated secret is saved and copied to your clipboard.

Validating signed webhooks

To verify the authenticity of webhook calls sent to your dynamic webhook endpoint, SellApp sends a HMAC signature that is comprised of the JSON encoded request body and your generated webhook secret.

Note

SellApp uses the sha256 hash function

Here is a validation example for the dynamic webhook endpoint in PHP:

$secret = "webhook-secret-here"; // the webhook secret you generated on SellApp
$signature = $_SERVER['HTTP_SIGNATURE']; // Retrieving the HMAC signature sent by our servers

$computedSignature = hash_hmac('sha256', file_get_contents('php://input'), $secret); // Validating the HMAC signature sent by our servers

if (hash_equals($computedSignature, $signature)) {
    // The signature sent by the webhook is valid, we can process the order
} else {  
  // The signature is invalid, this means something in the configuration is wrong or the webhook was not sent by SellApp
}

Note

Sending a test dynamic webhook is only for the purpose of checking whether your endpoint is correct. The test sends mock data which is not representative for production webhooks.

If you have set a webhook secret, test dynamic webhooks do send the secret in the header under the variable "signature"

Returning dynamic content

When your endpoint responds successfully, SellApp stores the response on the delivered order.

You can return plain text, which will be shown to the customer as the dynamic deliverable message. You can also return JSON with a message value:

{
  "message": "Your custom account has been created."
}

If your dynamic webhook manages stock externally, you may also return a stock value to update the product variant's stock:

{
  "message": "Your custom account has been created.",
  "stock": 42
}

Once this has been set up and configured correctly, you're all good to go.

Whenever a new order is delivered, we'll ping the dynamic endpoint URL you entered on the product variant, then pass along your webhook's response to the customer.

Store Blacklist

Use the SellApp blacklist to block risky customers, IP addresses, countries, ASNs, and email patterns before checkout.

Embed Digital Products

Embed SellApp products on your own website with checkout buttons, cart buttons, themes, and prefilled checkout details.

On this page

Generate a webhook secretValidating signed webhooksReturning dynamic content