Webhooks

Last modified April 11, 2017

For advanced integration and tracking options FastSpring provides "events" which are delivered by "webhooks" and available via the FastSpring API.

About Webhooks

There are two types of webhooks available:  server webhooks and browser scripts.

  • Server webhooks post JSON data from FastSpring's back-end to one or more external URLs or endpoints specified by you. You can write scripts to parse the data and update your databases or trigger other events based on the contents of the data.
  • Browser scripts execute a JavaScript function in the buyer's browser passing order data in JSON object. The function is executed upon completion of an order, and can be designed to parse the order data and trigger events based on its contents.

You can have multiple webhooks, and each type of webhook event can be sent to as many different URLs as you need.

Setting Up Webhooks

To set up webhooks, login to the Dashboard and select the Integrations menu.

Integrations menu

Then, select the Webhooks tab. An empty webhook container (for both live and test events) is created for you automatically, but you can click ADD WEBHOOK to create additional webhooks if needed.

Example of the Webhooks tab on the Integrations menu

Adding a Server Webhook

  1. Click ADD WEBHOOK URL.  The Add Webhook URL popup dialog will appear.

    Example of the Add Webhook URL dialog

  2. In the URL field, enter the external URL or endpoint where JSON data will be posted.  We strongly recommend that you use HTTPS endpoints so that data will be encrypted against interception.
  3. In the HMAC SHA256 Secret field, you can optionally enter a secret phrase for creating a digest of the payload to provide an additional layer of security. See Message Secret / Security for more details.
  4. In the Events section, select the check box for each event that you want posted to the URL or endpoint for this webhook.
  5. Scroll down to the bottom of the dialog (if necessary) and click ADD.
We recommend using http://requestb.in/ as an easy way to capture webhooks for initial testing.

Adding a Browser Script

  1. Click ADD BROWSER SCRIPT. The Add Browser Script popup dialog will appear.

    Example of the Add Browser Script dialog
  2. In the Name field, optionally enter an internal name for the script that will help you identify it if you create more than one for this webhook.
  3. In the Events section, select browser.order.completed.
  4. In the Function text area, enter or paste your JavaScript code.
  5. Click ADD.

Creating Additional Webhooks and Editing Existing Webhooks

Tip

If you need to send the same webhook event(s) to multiple URLs / endpoints, start by following this procedure to create additional webhooks. Then, in the new webhooks, click the ADD SERVER WEBHOOK command to add new URLs and select the events for the new webhooks.
  1. If you click  to create an additional webhook, or if you click EDIT in a webhook container (next to ADD BROWSER SCRIPT), a window similar to the following will appear.
     
    Example of Adding a new webhook
  2. The optional Title field is for internal use and helps you to distinguish (in addition to the URL) between one webhook and another.
  3. By default, Get webhooks from is set to send webhook events for both Live and Test Orders. If you only wants events to be sent via this webhook for for live orders - or only for test orders - click the drop-down and select the desired option.
  4. If you want this webhook to use expanded JSON data (e.g. to include full account details in an order.completed post), select Enable webhook expansion. (More information about expansion is available directly below.)
  5. Click ADD to add a new webhook, or SAVE to save your changes.

About Webhook Expansion

Depending on the type of event being posted, only data relevant to that event type will be included by default. For example, in an order.completed event, the customer's account ID will be included by default, but not the remainder of the account details. Those will be included in a separate account.created webhook event.

However, if you select Enable webhook expansion, then the objects listed below will be fully expanded / include all data in events other than their own event types.  To continue the example above, with this option enabled, order.completed will include the customer's complete account object rather than just the account ID. Depending upon your implementation, this may obviate the need to subscribe to certain webhooks (e.g. account.created), or to make API calls to fill in certain details.

Expandable Webhook Event Objects

  • account
  • order
  • product
  • subscription

Viewing Recent Server Webhook Activity

The Webhooks tab of the Integrations menu includes a RECENT ACTIVITY command towards the bottom right-hand corner of the page, which lets you view all recent server wehbook on demand, right in your browser window.

Example of a webhook with the RECENT ACTIVITY command highlighted
Clicking RECENT ACTIVITY opens a scrollable popup window that shows those only recent events for which you have configured server webhooks, along with the contents of the posts that were sent to your specified URL(s).

Recent Server Webhook Activity popup

Note

If you believe that you may have missed receiving one or more recent server webhooks (e.g., due to temporary unavailability of your server), you can also use the /events/unprocessed endpoint of the FastSpring API to request the contents of any recent server webhooks that were not delivered successfully. The response structure will be identical to that of the webhooks. See Retrieving Missed or Unprocessed Events below.

Server Webhooks

Server-to-server "webhooks" are delivered as the POST body JSON payload to the URL(s) specified while setting up the webhook(s). Upon firing, some webhooks also trigger an email message to the customer, depending on the context.

Tip

Click an entry in the Event Name column to jump to the corresponding article containing an example of the webhook payload. 
Event Name Description Email Message Sent
account.created Fired when a customer account is created (e.g. when a customer whose email address does not match an existing account places a new order).  Customer Accounts and single sign-on provides detailed information regarding customer accounts.  
fulfillment.failed Fired if one or more fulfillments failed during order fulfillment (e.g. due to insufficient remaining licenses in a pre-generated list).  
mailingListEntry.removed Fired when an entry is expected to be removed from a mailing list (e.g. due to customer unsubscribing by placing an order with the newsletter check box cleared / unselected). Please see Cart Abandonment Tracking and Customer Mailing List Opt-In for more information.  
mailingListEntry.updated Fired upon adding a new mailing list entry (e.g. for a customer who completed an order and selected the check box to "subscribe to news and updates").  Please see Cart Abandonment Tracking and Customer Mailing List Opt-In for more information.  
order.approval.pending Fired when approval is required before an order can be completed (for example, when purchase orders are enabled for your Store with the Require Approval method configured, and a buyer places an order using a purchase order). Order Pending Approval
order.canceled Fired when an order is canceled (e.g. when you cancel a pending approval order via the Dashboard). Order Canceled
order.payment.pending Fired when an order has been processed but payment from the buyer has not yet been completed (for example, when a buyer selects wire transfer as their payment method or buys using a purchase order). Payment Required for the Order
order.completed

Fired upon successful order completion after fulfillment actions have been performed.

Note

For subscriptions, this event is only fired for the initial purchase transaction. Subsequent subscription billings do not trigger this event; only  subscription.charge.completed  events will be triggered.
Default Order Receipt
order.failed Fired if an order failed during checkout (e.g. due to a declined payment card).  
payoutEntry.created Fired when a payout event has been created (e.g. for an order, split pay rule, return etc.).  
return.created Fired when a refund or a return has been created (e.g. by returning a customer's order via the Dashboard).  
subscription.activated Fired upon creation of a new subscription. Activated
subscription.canceled Fired upon cancellation of the subscription, when the Deactivate At Next Period option has been selected (if canceling via Dashboard) or the billingPeriod=0 parameter has not been included (if canceling via the /subscriptions endpoint of the FastSpring API). Canceled
subscription.charge.completed

Fired upon completion of a recurring or managed subscription charge, or a charge resulting from proration following a subscription upgrade or downgrade.

Note

This event is not fired for the initial purchase of a subscription. Instead, we send  order.completed  - which is only fired for new purchases (including the initial purchase of a subscription) - and  subscription.activated .
Charge Completed
subscription.charge.failed Fired when a subscription charge or billing has failed (e.g. due to a declined payment card transaction). Charge Failed
subscription.deactivated Fired upon deactivation of the subscription, including deactivation at the end of the billing period following a prior cancellation, or immediately upon cancellation when the subscription is canceled with the Deactivate Now option selected (via Dashboard) or the billingPeriod=0 parameter is included (canceling via the /subscriptions endpoint of the FastSpring API).  Deactivated
subscription.payment.overdue Fired upon the overdue interval following the payment failed date. Payment Overdue
subscription.payment.reminder Fired upon the reminder interval before the next charge date. Payment Reminder
subscription.trial.reminder Fired when an email message is sent to the customer prior to the first billing, following a free trial period as configured via the Free Trial Days field in the Pricing popup dialog of the Dashboard, or via the trial field inside the pricing node of a POST to the /products endpoint of the FastSpring API. Trial Reminder
subscription.updated Fired when edits have been made to a subscription instance (e.g. by modifying the product, next payment date, etc. via Dashboard or the /subscriptions endpoint of the FastSpring API). Updated


Request Payload

Your webhooks endpoint should be able to receive 1 or more event. During setup you'll define which types of events a given URL receives. Multiple webhooks might be combined in a single payload.

This is an example request your endpoint would receive containing two different event types:

Full payload example
{
    "events": [
        {
            "id": "jazYJQw5RSWVR474tU2Obw",
            "live": true,
            "processed": false,
            "type": "subscription.activated"       
            "created": 1426560444800,
            "data": {
                .... See webhook payload examples for "data" contents ....
            }
        }
    ,   
        {
            "id": "VOe5PQx-T4S6t8yS_ziYeA",
            "live": true,
            "processed": false,
            "type": "subscription.deactivated"     
            "created": 1426560444900,
            "data": {
                .... See webhook payload examples for "data" contents ....
            }
        }
    ]
}

Common fields for all types of events

"id" - Unique ID of the event.

"live" - Whether this event is for live data instead of test data.

"processed" - Whether this event has been marked processed. For a new event this will always be false.

"type" - Identifier for the event that occurred.

"created" - Timestamp for when the event was created.

"data" - Varies per event "type". See Webhook Payload Examples for "data" contents.

Marking Events as Processed

The goal of a Webhook is to mark received events as processed. There are two techniques:

  1. Bulk. Return HTTP status code 200 to consider all events received as successfully processed.
  2. Individual. Return HTTP status code 202 to exert more control over what is considered processed. In the response body, emit one event "id" on each new line (separated by character 10). Each event "id" given will be considered successfully processed.

All other HTTP status codes are considered failures. However, for failures, we recommend returning status codes in the 50X range, depending on the cause of the failure.

Automatic Retries for Unprocessed Webhook Events

For each webhook event that is not marked processed (see Marking Events as Processed above), FastSpring will automatically attempt to repost the event every ten minutes, for a period of 24 hours or until the event is marked processed successfully. If the event is not marked processed within 24 hours, FastSpring will discontinue attempts to repost that specific webhook event, but it can still be retrieved via the /events endpoint of the FastSpring API (see Retreiving Missed or Unprocessed Events below).

When events have failed to process for 24 hours, a red Failing indicator will appear on the card for the affected webhook configuration in the Dashboard.

Example of a webhook configuration with a Failing indicator

In addition, optional alert messages can be sent by email to notify you of the issue. If you do not have an alert email address configured, you will see a notice near the top of the Webhooks tab in the Dashboard. You can configure the email address to which these alerts will be sent by clicking the Setup alert email link.

An example of the setup alert email link

Clicking the link will open the Default Notify Settings page. At the bottom of that page is the Store Notification Addresses section.

An example of the Store Notification Addresses section of the Default Notify Settings page

This section has a separate line for each Store in your account. If your account has multiple Stores, you can specify the Default Email and the Alert Email Addresses separately for each one. To configure alert addresses for failed webhook event notifications, enter one or more addresses in the Alert Email Addresses field(s) for the desired Store(s). If you enter more than one address, separate the addresses with commas, as in the example below.

Example of entering multiple email addresses for notifications
alert@furiousfalcon.com,orders@furiousfalcon.com

If an address is specified in the Alert Email Addresses field, alert messages will continue to be sent periodically as long as there are failed event posts within the past 24 hours. Once the underlying issue (e.g. connectivity or timeout problems on your end) has been resolved, messages that have failed within the past 24 hours can be reposted successfully on subsequent automatic retries, so the statuses for those events will changed to processed. When there are no more unprocessed events within the past 24 hours, the Failing indicator will disappear from the webhook configuration card, and no further alert email messages will be sent.

Retrieving Missed or Unprocessed Events

In the event that your server does not process one or more events successfully (e.g. if your server is temporarily unavailable at the time an event is posted), you can repost them manually via the order or subscription details page, OR retrieve any and all missed events by making a call to the /events/unprocessed endpoint of the FastSpring API.

Simply make a GET call to /events/unprocessed endpoint and all subscribed webhook events that have not been marked as processed (see above) will be returned in the API response. The response structure will be nearly identical to the structures of the unprocessed webhook events - except it will include a type indicator showing the event type - so you can process the response in the same way you would have processed the corresponding / missed webhook posts.

Note

After processing any events that had been missed, you should mark those events as processed via a POST to the /events endpoint of the FastSpring API so that they will not be returned the next time you get unprocessed events. For example:  POST /events/{id}. For more information, please see /events.

Note

The response returned from the /events endpoint is limited to 25 unique events. If the "more" attribute is present with a "true" value on the last line of the response, you may need to make multiple requests in order to retrieve all events. You can optionally specify a time frame with your request (e.g. beginning with the time of the last event in the response) if you want to page through all events before marking any of them processed. For more information, please see /events.

Tip

It may be a good idea to set up an automatic, scheduled task that runs daily (or more often) on your servers to call / events/unprocessed and automatically retrieve any webhook events that might have been missed during the interval since the job last ran. After parsing the events, the script should mark them as processed. When retrieving unprocessed events, you can optionally specify a time frame, but that may not be necessary in this context. For more information, please see /events.

Marking events as processed immediately    Parsing multiple pages of events before marking them processed

Message Secret / Security

Each webhook can optionally define a secret cryptographic key in the HMAC SHA256 Secret field. FastSpring's server will use that key to generate a hashed digest of each webhook payload. The resulting digest will be encoded to base64 and included in the webhook's X-FS-Signature header. Your server can then use the same process, creating a hashed digest of the payload using the same secret key on your side, and then encoding the resulting hash to base64 before comparing the it to the value in that header.

A post with a valid, matching digest in the header can only have originated from a source that uses the correct secret key. Therefore, if you have only provided the secret key to FastSpring via the webhook interface in Dashboard (i.e., you have not given the key to anyone else or used it anywhere else), this confirms that the webhook data is authentic (and also intact), since nobody else knows your secret key and the key is not (of course) included in the post. You can find more information about hash-based message authentication at https://en.wikipedia.org/wiki/Hash-based_message_authentication_code.

The following is an example of using the PHP hash_hmac function to create the hashed digest, where $secret is the secret key entered in the HMAC SHA256 Secret field in Dashboard, and $whole_fs_json_payload is the raw data from the webhook post:

Example of using the PHP hash_hmac function to create the hashed digest
$hash = base64_encode( hash_hmac( 'sha256', $whole_fs_json_payload , $secret, true ) ); 


Here is an example of computing and comparing the HMAC hash using Node.js:

Example of using Node.js to compute and compare the HMAC hash
const crypto = require('crypto');


/**
 * Validates a FastSpring webhook
 *
 * @param {string} req    Node request object, where 'req.body' is a Node
 *                        Buffer object containing the request body
 * @param {string} secret the secret string saved in Dashboard
 */
const isValidSignature = (req, secret) => {
  const fsSignature = req.headers['X-FS-Signature'];
  const computedSignature = crypto.createHmac('sha256', secret)
    .update(req.body)
    .digest()
    .toString('base64');
  return fsSignature === computedSignature;
}

Browser Scripts

Browser scripts (previously called "browser webhooks") are custom-defined JavaScript functions that run inside the browser window. For Web Storefronts, browser scripts will be executed inside the sandbox. For Popup Storefronts, browser scripts will be executed inside the sandbox and passed to the container page via the callback defined using the JavaScript API. For Popup Storefronts, you can leave function () empty if you only want the event to be passed to the container page and not run inside the sandbox. 

BROWSER.ORDER.COMPLETED - fired upon successful order completion after fulfillment actions were performed.

browser.order.completed example
{  
   "id":"ZxcLBaJaR2i7N2DYAo7PbQ",                    // hook id - do not use
   "created":1475702220909,                          // created timestamp, in milliseconds
   "type":"browser.order.completed",                 // type of event
   "live":false,                                     // true if not a test order
   "data":{                                          // order data
      "id":"8nEf7SIgR4SjUUspka4oWQ",                 // FastSpring-internal order ID to be used for all order-related requests
      "reference":"KYR161005-9065-20156",            // customer-facing order ID
      "live":false,                                  // true if not a test order
      "currency":"USD",
      "total":15,                                    // order total
	  "totalDisplay":"USD 15.00",                    // order total, formatted for display
	  "totalInPayoutCurrency":"15",                  // order total in payout currency
	  "totalInPayoutCurrencyDisplay":"USD 15.00",    // order total in payout currency, formatted for display
      "tax":0,
	  "taxDisplay":"USD 0.00",
	  "taxInPayoutCurrency":"0"
	  "taxInPayoutCurrencyDisplay":"USD 0.00",
      "subtotal":15,
	  "subtotalDisplay":"USD 15.00",
	  "subtotalInPayoutCurrency":"15",
	  "subtotalInPayoutCurrencyDisplay":"USD 15.00",
      "discount":0,
	  "discountDisplay":"USD 0.00",
	  "discountInPayoutCurrency":0,
	  "discountInPayoutCurrencyDisplay":"USD 0.00",
      "discountWithTax":0,
	  "discountWithTaxDisplay":"USD 0.00",
	  "discountWithTaxInPayoutCurrency":0,
	  "discountWithTaxInPayoutCurrencyDisplay":"USD 0.00",
      "payoutCurrency":"USD",
      "payment":{  
         "type":"test",
         "cardEnding":"4242"
      },
      "total":15,
	  "totalDisplay":"USD 15.00",
	  "totalInPayoutCurrency":15,
	  "totalInPayoutCurrencyDisplay":"USD 15.00",
      "account":"FwlUjl4DSkOnZY8OqORkTw",
      "tags": {
        "key1":"value1"                              // custom order-level tags defined via Store Builder Library or Custom Orders
      },
      "items":[                                      // array of items in the order
         {  
            "product":"subRegular",
            "quantity":1,
            "subtotal":10,
			"subtotalDisplay":"USD 10.00",
			"subtotalInPayoutCurrency":"10",
			"subtotalinPayoutCurrencyDisplay":"USD 10.00",
            "coupon":null,
            "sku":null,
            "discount":0,
			"discountDisplay":"USD 0.00",
			"discountInPayoutCurrency":0,
			"discountInPayoutCurrencyDisplay":"USD 0.00",
            "subscription":"bZ3zfvNgRiycCGNNDao2Cw",
            "fulfillments":{  
            }
         },
         {  
            "product":"jason-s-test-produc",
            "quantity":1,
            "subtotal":5,
			"subtotalDisplay":"USD 5.00",
			"subtotalInPayoutCurrency":5,
			"subtotalInPayoutCurrencyDisplay":"USD 5.00",
            "coupon":null,
            "sku":null,
            "discount":0,
			"discountDisplay":"USD 0.00",
			"discountInPayoutCurrency":0,
			"discountInPayoutCurrencyDisplay":"USD 0.00",
            "fulfillments":{  
               "jason-s-test-produc_license_0":[  
                  {  
                     "license":"asdf",
                     "display":"License Key",
                     "type":"license"
                  }
               ],
               "instructions":"<p><br/> License Key: asdf<br/></p>"
            }
         }
      ]
   },
   "hook":"5e1d04bb4f8110f1e35008ab37ebfc7b557eca795cc0fd974b4aaef4a73241c6",
   "digest":null                                     // digest checksum
}

Function

Browser hook is defined as a Javascript function similar to this:

function(event) {      
  /* Custom Code Here */
}

Loading External Scripts

It's common to require external scripts for the hook. To load external scripts use the following approach within the function:

this.load('https://scripturl', callback);
//"callback" is a function() to execute after the script has been successfully loaded.