Webhook Endpoints

Webhook endpoints can be created in your account's Settings section. They allow you to be notified of changes on your Flexport data and milestone events for your shipments.

In order to verify that only requests coming from Flexport are allowed into your system, we require you to set a secret token for each of your endpoints. Flexport sends an X-Hub-Signature header with the value set as demonstrated on the right with each message. By verifying this header matches your expectations, we can ensure that only people with the secret token can send data to your endpoint.

The payload for a webhook is an Event object.

Flexport uses your secret token and the payload to create a hash signature with each payload. This hash signature is passed along with each request in the headers as X-Hub-Signature and X-Hub-Signature-256. Currently, Flexport supports both SHA1 and SHA256 signatures and will soon deprecate SHA1. We recommend using SHA256 for new integrations and transition to SHA256 for older integrations.

To validate the payload:

1. Generate a SHA1 signature or SHA256 signature using the payload and your secret token.
2. For SHA1, compare your signature to the signature in the X-Hub-Signature header string. If they match, then the payload is genuine.
3. For SHA256, compare your signature to the signature in the X-Hub-Signature-256 header string. If they match, then the payload is genuine.

Flexport expects to receive an HTTP 200 response code from your endpoint. We will continue trying to deliver the message a number of times if we don’t receive one. To prevent time outs, it is wise to configure your endpoints to send a 200 and then do any long running processing on the data.