Webhook Endpoints

Webhook endpoints can be created in your account's Settings section. They allow you to be notified of changes on your Flexport data and milestone events for your shipments.

Setting a Secret Token

In order to verify that only requests coming from Flexport are allowed into your system, we require you to set a secret token for each of your endpoints. Flexport sends an X-Hub-Signature header with the value set as demonstrated on the right with each message. By verifying this header matches your expectations, we can ensure that only people with the secret token can send data to your endpoint.


The payload for a webhook is an Event object.

Flexport uses your secret token and the payload to create a hash signature with each payload. This hash signature is passed along with each request in the headers as X-Hub-Signature. To validate the payload:

  1. Generate a SHA1 signature using the payload and your secret token.
  2. Compare your signature to the signature in the X-Hub-Signature header string. If they match, then the payload is genuine.


Flexport expects to receive an HTTP 200 response code from your endpoint. We will continue trying to deliver the message a number of times if we don’t receive one. To prevent time outs, it is wise to configure your endpoints to send a 200 and then do any long running processing on the data.