Webhooks
Webhooks allow your app to receive real-time notifications when specific events occur within a SitePack store. Instead of polling the API for changes, SitePack will "push" data to your server via an HTTPS POST request.
How Webhooks Work
- Subscription: You define the events (topics) you want to listen to in your
app.json. - Event Occurs: A merchant performs an action (e.g., a customer submits a form).
- Delivery: SitePack sends a signed JSON payload to your configured endpoint.
- Acknowledgement: Your server must respond with a
200 OKstatus code to acknowledge receipt.
The "Thin Payload" Strategy
To ensure security and data privacy, SitePack webhooks use a Thin Payload architecture. Instead of sending all the resource data (which might contain sensitive PII), the webhook contains only the metadata and a link to the resource.
Example Payload
{
"uuid": "019eca47-221d-73c1-9c6c-c556a2b02cc2",
"test_mode": true,
"topic": "lead.created",
"site": "019eca47-21a4-7935-8636-641e7370897b",
"created_at": "2026-06-15T07:55:19Z",
"arguments": {
"test": true,
"timestamp": 1781510118,
"message": "This is a test webhook message from the admin panel."
}
}
After receiving this notification, your app should call the API using its credentials to fetch the full data. This ensures that:
- Sensitive data is never sent over the wire unnecessarily.
- The App's Scopes are re-validated before data access.
Webhook Topics
The following topics are currently supported:
| Topic | Description |
|---|---|
lead.created | Triggered when a new form submission is received. |
order.created | Triggered when a new order is placed. |
product.updated | Triggered when a product's details are changed. |
Security and Verification
HTTPS Requirement
All webhook addresses must use the https:// protocol.
Signing (HMAC)
Every webhook request is signed with your App Secret using HMAC-SHA384. You should verify this signature to ensure the request truly came from SitePack.
The signature is sent in the X-SitePack-Signature header.
Retries and Failures
If your server returns anything other than a 2xx status code, SitePack will attempt to redeliver the webhook using an exponential backoff strategy for up to 24 hours.
Configuring Webhooks
Add the webhooks array to your app.json:
{
"webhooks": [
{
"topic": "lead.created",
"address": "https://your-app.com/webhooks/leads"
}
]
}
Next Steps
- Authentication (OAuth): How to obtain the tokens needed to fetch data from webhooks.
- Scopes & Permissions: Learn how scopes limit the data you can access via the API.
- App Manifest (app.json): Configure your webhook topics and addresses.
- Admin UI Integration: Use widgets to show data updated via webhooks.