HTTP Notifications

Overview

SellAuth allows you to receive shop notifications via an HTTP webhook. These notifications inform you about important events such as invoices, stock changes, feedback, tickets, and system errors.

HTTP notifications are designed to be lightweight, only minimal data (usually IDs) is sent. You are expected to fetch full details using the SellAuth API.

How It Works

1. An event occurs on your shop.
2. SellAuth sends a POST request to your configured webhook URL.
3. Your server validates the request signature.
4. You use the provided IDs to fetch full data via the API.

Each notification is sent as a single request per event.

Webhook Request

HTTP Details

• Method: POST
• Content-Type: application/json
• Connect timeout: 5 seconds
• Request timeout: 10 seconds
• Retries: 3 total attempts
• Retry interval: 5 seconds between each attempt

Example Request Body

{
  "event": "NOTIFICATION.SHOP_INVOICE_CREATED",
  "data": {
    "invoice_id": 1218
  },
  "shop_id": 1
}

The data object usually contains only IDs relevant to the event.

Signature Verification

HTTP notifications use the same headers and signature logic as Dynamic Delivery webhooks.

Headers

Idempotency-Key: c47107fff54fd943db6939b9935af39a7753b7dc9a3bd227de71d032a725bb47
X-Timestamp: 1769945465
X-Signature: 9c64b5dcf02dfbe918357f4bf92731f28d7ba6988e9af3dec821840367f420fb
Content-Type: application/json

Webhook Secret

The webhook secret is available at: https://dash.sellauth.com/shop#miscellaneous

If the secret is not visible, click Regenerate to create one.

Signature Logic

hash_hmac(
  'sha256',
  json_encode($requestData),
  $webhookSecret
);

import crypto from 'crypto';

const payload = JSON.stringify(req.body);

const signature = crypto
  .createHmac('sha256', WEBHOOK_SECRET)
  .update(payload)
  .digest('hex');

if (signature !== req.headers['x-signature']) {
  throw new Error('Invalid signature');
}

$payload = file_get_contents('php://input');
$signature = hash_hmac('sha256', $payload, $webhookSecret);

if ($signature !== $_SERVER['HTTP_X_SIGNATURE']) {
  http_response_code(401);
  exit('Invalid signature');
}

import hmac
import hashlib

payload = request.get_data()
signature = hmac.new(
    WEBHOOK_SECRET.encode(),
    payload,
    hashlib.sha256
).hexdigest()

if signature != request.headers.get("X-Signature"):
    raise Exception("Invalid signature")

Fetching Full Data

Because notifications only contain IDs, you must retrieve the full data using the SellAuth API.

API Documentation:
https://docs.sellauth.com/api-documentation

Example

If you receive:

{
  "event": "NOTIFICATION.SHOP_INVOICE_CREATED",
  "data": { "invoice_id": 1218 }
}

You can fetch the invoice details using the Invoices API endpoint.

Event Types

Below is a list of all HTTP notification events and their payload structure.

Invoice Events

Product & Stock Events

Feedback Events

Ticket Events

Subscription Events

System Events

Error Handling

If your webhook fails, times out, or returns a non-200 status:

• The notification will be retried automatically
• Delivery errors may appear in your shop dashboard
• Additional notification channels will be used if configured