Skip to main content
Webhooks are how StoreKit notifies your systems of events in real-time. At their core, they are just a POST request to a pre-determined endpoint.

How Webhooks Work

When an event occurs in your store (like a new order being placed), StoreKit sends an HTTP POST request to your configured endpoint with details about that event. The endpoint can be whatever URL you want, and you can add them from your StoreKit dashboard. You normally use one endpoint per service, and that endpoint listens to all of the event types. For example, you can structure your URL like: https://www.example.com/storekit/webhooks/

Acknowledging Webhooks

The way to indicate that a webhook has been processed is by returning a 2xx (status code 200-299) response to the webhook message within 15 seconds.
It’s important to disable CSRF protection for your webhook endpoint if your framework enables it by default.

Security

Another important aspect of handling webhooks is to verify the signature and timestamp when processing them. This ensures that the webhook actually came from StoreKit and hasn’t been tampered with. Learn more in the Verifying Signatures section.

Quick Tips

  • Respond quickly: Return a 2xx response as fast as possible. If you need to do complex processing, add the webhook to a queue and process it asynchronously.
  • Handle duplicates: Webhooks may occasionally be sent more than once. Make your processing idempotent.
  • Verify signatures: Always verify webhook signatures in production to ensure security.