Webhooks

Waitwhile supports setting up webhooks for various events. For each webhook you can choose to receive all events or specific events and for which locations.

The following event types are supported:

visit.created
visit.updated
visit.removed
location-status.updated
message.created
message.updated
Webhooks use the same schema definitions as the API for representing objects.

To acknowledge receipt of a webhook, your endpoint should return a 2xx HTTP status code. All response codes outside this range, including 3xx codes, will indicate to that you did not receive the webhook. Failed webhook calls will be retried up to three times. If your endpoint consistently fails for more than three days the webhook will be deactivated.

Waitwhile will sign the webhook events it sends to your endpoints. We do so by including a signature in each event’s X-Waitwhile-Signature header. This allows you to validate that the events were sent by Waitwhile and not by a third party.

Before you can verify signatures, you need to retrieve your endpoint’s secret from the settings. Each secret is unique to the endpoint to which it corresponds.

The signature is created by concatenating webhook URL and payload as a UTF-8 string, and then creating a hash-based message authentication code (HMAC) with SHA-256, encoded using Base64.

See example code below:

function verifyWebhookSignature(signature, url, payload, secret) {
return signature == crypto.createHmac('sha256', secret).update(Buffer.from(url + payload, 'utf-8')).digest('base64');
}