Rule webhooks

Overview

Rule webhooks leverage Front rules to run. To learn the differences between application webhooks and rule webhooks, refer to our Webhooks overview.

Setup

For more information about how to enable and setup a rule webhook, please refer to our help center. Remember that you can configure the webhook to send either the full event payload or an event preview.

To quickly get started testing rule webhooks, you can use something like RequestBin or UltraHook to receive and explore webhook payloads.

Validating Data Integrity

For security reasons and since the rule webhook URL is open to the public, you should not trust any incoming requests that it receives. Each request we send to your rule webhook URLs will contain an X-Front-Signature header generated using the request body and your API Secret.

To validate that the data came from Front, you need to calculate the base64 encoded HMAC hash of the request body using the SHA1 algorithm and your API secret as the key. If the value matches the header's signature, you can be sure the request was sent from Front.

📘

Make sure to encode the payload using UTF-8.

const crypto = require('crypto');
const apiSecret = 'YOUR_API_SECRET';

function validateFrontSignature(data, signature) {
    var hash = crypto.createHmac('sha1', apiSecret)
                     .update(JSON.stringify(data))
                     .digest('base64');

   return crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(signature));
}
require 'openssl'
require 'Base64'

API_SECRET = 'YOUR_API_SECRET'

def validateFrontSignature(data, signature)
  Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), API_SECRET, data)).strip() == signature ? true : false
end
from flask import Flask, request, jsonify, abort
import hashlib
import hmac
import json
from base64 import b64encode

app = Flask(__name__)

@app.route('/webhook', methods=['POST'])
def handle_webhook():
    data = request.json
    signature = request.headers.get("x-front-signature")
    api_secret = "YOUR_API_SECRET_HERE"  
    computed_signature = b64encode(hmac.new(api_secret.encode(), json.dumps(data, separators=(",", ":"),ensure_ascii=False).encode(), hashlib.sha1).digest()).decode()
    if not hmac.compare_digest(computed_signature.encode(), signature.encode()):
        abort(400, "Bad Request: Signature verification failed")
    else:
        return jsonify({"status": "success"}), 200
        
if __name__ == '__main__':
    app.run(port=5000) 

You can get your API secret by completing the following steps:

  1. Click Settings in Front.
  2. Under Company, click App store.
  3. Search for the Webhooks app.
  4. On the Webhooks app details page, click Configure app.
  5. Click Copy underneath the API secret section to obtain your API secret.

Differentiating customer webhook requests

To determine which Front customer instance is emitting a rule webhook, provide each customer with a unique webhook address during setup.

Timeouts

Webhook requests issued by Front will time out after 5 seconds.

Retries

At present, retries are not attempted in cases where Front is unable to send payloads to your rule webhook. If you suspect you missed data, consider polling the List events API endpoint to filter for Events which occurred during the time you missed data.