Receive data as soon as it becomes available.
POST
HTTP request;x-metriport-signature
- see authentication below;200
in under 4 seconds - we recommend processing the webhook request asynchronously;ping
message;x-metriport-signature
header - this is an
HMAC SHA-256 hash computed using your webhook key and the body of the webhook message.
At a high level, an HMAC works by taking a secret key (webhook key from the Settings page) and a message,
and performing iterative hashes of the two to create a signature. That signature is compared against the
signature in the header for equality. If the signatures are equal, you can trust the webhook
payload is authentic and has not been tampered with. If they aren’t equal, you should throw it away.
You can use this header to verify that the webhook messages sent to your endpoint are from Metriport.
Avoid parsing the request body before generating the signature - it could result in a slightly
different signature that’s enough to invalidate it.
Here’s an example of how you can do this in Node.js - see the full sample code
here:
ping
: validation of the webhook connection between Metriport and your app;200
HTTP
status code (OK).
There’s no need to include anything on the response body.
ping
messagePOST
request with this body…
<random-sequence>
as below:
Retry
button, and those requests will be sent to your app again.