API Reference

Corporate Merch can send webhook events to notify your application when a particular event has occurred.

How it works

You can setup your webhooks via the Corporate Merch dashboard under Developers > Webhooks.
Simply click "Create new application", enter your "Application Name" and submit. It will generate a new environment for your application where you will be able to enter your "Webhook Endpoint URL" and select the event types you wish to receive notifications for.

Verifying incoming requests with Signature

To prevent your application from a replay attack, we recommend that you verify all incoming webhook events by checking for our unique signature. Our API add a header called "Signature" to every webhook request it makes.

Here's how you can verify if the signature of the request is valid.

/**
* $payload = Request payload
* $secret = Your application secret signature and it can be found in Corporte Merch dashboard
* $signature = Request "Signature" and it can be found in the request headers
*/
$computed = hash_hmac('sha256', $payload, $secret);

if ($computed === $signature) {
  // valid
}