Webhooks
Whenever a new event needs to be delivered to your application, a webhook will be called. For now webhook registration is a manual process, to get started you will need to give the Tyro Connect team your webhook url, and we will load it into the system.
The payload for each event will be an object with the following attributes:
type required | string The type of event being delivered. | ||||||
required | object | ||||||
|
For example, an order created will result in notification with the following payload.
{
"type": "ORDER_CREATED",
"data": {
"resource": "order",
"id": "abcxyz123-2c32-4a0d-a0dd-f766e965235e",
"uri": "https://api.tyro.com/connect/orders/abcxyz123-2c32-4a0d-a0dd-f766e965235e"
}
}
Response
To indicate that delivery of the notification was successful please return a 200
HTTP response code. A 500
HTTP response code should be returned if the notification could not be processed, if this happens Tyro Connect will retry sending the event 3 times.
Duplicate, Unknown or Out of Order Events
Please ensure your implementation ignores the following occurrences:
- Duplicate Events: Please make sure that your system can handle duplicate events i.e a notification with an identical
type
andid
. If you receive an notification about an event you have already received please ignore it. This should be an uncommon occurrence but can occur if Tyro Connect encounters an error and we are not sure we delivered the message to you. - Out of Order Events: Rare network issues could potentially result in out-of-order events. If you receive a notification about an event that appears to be outdated, please ignore it as this is most likely an out-of-order event.
- Unknown Events: It is also possible that Tyro Connect publishes events with a
type
that you do not support. When this happens please ensure that your implementation ignores the event.
Validation
Tyro-Connect-Signature
Header
Tyro Connect generates a signature for each webhook notification that it sends and the signature is then included in the request as a custom HTTP header Tyro-Connect-Signature
.
Signing Key (Pre-Shared Secret)
During setup Tyro Connect will generate signing keys for each of your webhook url's. Different keys can be generated for each event type or we can produce a single key for all events. This signing key is how you can verify that the events were sent by Tyro-Connect.
Signature Calculation
To generate a matching signature you must get the http request body as a string and compute a SHA-256 hash of the request body. This hash can then be compared to the Tyro-Connect-Signature
header.
Here is a pseudocode example:
calculatedSignature = hmacSha256(signingKey, request.body)
expectedSignature = request.headers["Tyro-Connect-Signature"]
Signature Comparison
Perform an equality comparison on the expected signature in the header to the calculated signature. If the signatures match you can trust that it was Tyro Connect that sent you the request.