About webhooks
Webhooks is a convenient way to get notified when a product is updated with new information.
Webhooks allow you to build or set up integrations which subscribe to product update events. Rather than requiring you to pull information via our API, webhooks will push information to your endpoint. When there is new data about a subscribed product, we'll send a HTTP POST payload to the webhook's configured URL. Webhooks is a great way to keep your product information up to date.
Creating webhooks
Subscribe to products and assign an URL to your new webhook by contacting Consupedia support at tech-support@consupedia.com.
At this time new webhooks are setup by Consupedia Support. Send a list of products (GTIN or Consupedia Product Id) and the endpoint URL and we will setup the webhook. The URL needs to be full, valid, and publicly accessible. If you would like to use the data for a research project, please add a description of your work and how the Consupedia data will be used.
Securing your webhooks
Ensure your server is only receiving the expected Consupedia requests for security reasons.
Once your server is configured to receive payloads, it'll listen for any payload sent to the endpoint you configured. For security reasons, you probably want to limit requests to those coming from Consupedia. There are a few ways to go about this--for example, you could opt to allow requests from Consupedias's IP address--but a far easier method is to set up a secret token and validate the information.
Setting a secret token
Along with your request for a webhook, send a random string with high entropy (e.g., by taking the output of ruby -rsecurerandom -e 'puts SecureRandom.hex(20)' at the terminal).
Consupedia will use this to create a hash signature with each payload sent by the webhook. This hash signature is included with the headers of each request as X-Hub-Signature-256.
The service receiving the webhook requests should be configured to validate that the hash matches a hash created with your secret token. Consupedia uses a HMAC hex digest to compute the hash, so you should configure your server to use the same digest algorithm to validate.