Skip to main content
In addition to setting up webhooks through the dashboard, you can programmatically create and manage webhooks using the Platform API. This is useful for:
  • Automating webhook setup as part of your deployment process
  • Building integrations that dynamically configure webhooks
  • Managing webhooks across multiple shops programmatically

Creating a Webhook

Use the POST /webhooks endpoint to create a new webhook subscription: 
curl -u "your_username:your_password" \
  -X POST "https://api.fourthwall.com/open-api/v1.0/webhooks" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-server.com/webhooks/fourthwall",
    "allowedTypes": ["ORDER_PLACED", "ORDER_UPDATED", "DONATION"]
  }'
The response includes the webhook configuration with its ID and secret key: 
{
  "id": "wcon_P-VkRfmJTBaC6_Tst22cew",
  "url": "https://your-server.com/webhooks/fourthwall",
  "allowedTypes": ["ORDER_PLACED", "ORDER_UPDATED", "DONATION"],
  "secret": "e3f93c7c-c92b-4b8f-a9b1-5b70e0891abc"
}
Store the secret value securely - you’ll need it to verify webhook signatures.

Complete Example: Create, Receive, and Verify

Here’s a complete flow showing how to set up a webhook programmatically and handle incoming events: Step 1: Create the webhook 
import requests

# Create webhook subscription using Basic Auth
response = requests.post(
    "https://api.fourthwall.com/open-api/v1.0/webhooks",
    auth=("your_username", "your_password"),
    json={
        "url": "https://your-server.com/webhooks/fourthwall",
        "allowedTypes": ["ORDER_PLACED"]
    }
)

webhook_config = response.json()
webhook_secret = webhook_config["secret"]  # Store this securely!
Step 2: Receive and verify webhook events 
import hmac
import hashlib
import base64
from flask import Flask, request, jsonify

app = Flask(__name__)
WEBHOOK_SECRET = "your_stored_secret"

def verify_signature(payload, signature_header):
    """Verify the webhook signature matches."""
    digest = hmac.new(
        WEBHOOK_SECRET.encode('utf-8'),
        payload,
        digestmod=hashlib.sha256
    ).digest()
    computed_signature = base64.b64encode(digest).decode('utf-8')
    return hmac.compare_digest(computed_signature, signature_header)

@app.route('/webhooks/fourthwall', methods=['POST'])
def handle_webhook():
    # Get the signature from headers
    signature = request.headers.get('X-Fourthwall-Hmac-SHA256')

    # Verify the signature
    if not verify_signature(request.data, signature):
        return jsonify({"error": "Invalid signature"}), 401

    # Parse the webhook payload
    event = request.json

    # Handle different event types
    if event["type"] == "ORDER_PLACED":
        order_data = event["data"]
        print(f"New order received: {order_data['friendlyId']}")
        # Process the order...

    # Always return 200 to acknowledge receipt
    return jsonify({"status": "received"}), 200

API Endpoints

The Platform API provides these endpoints for webhook management:
EndpointDescription
POST /webhooksCreate a new webhook subscription
GET /webhooksList all webhooks
GET /webhooks/Get a specific webhook
PUT /webhooks/Update a webhook
DELETE /webhooks/Delete a webhook