Review these best practices to help keep your webhooks secure and function seamlessly with your integration. To find out more about setting up and receiving webhooks, visit the Webhooks guide.
There are a few measures that can be taken to ensure webhooks are secure. Only HTTPS URLs are supported and require a valid SSL certificate. Self-signed certificates are not supported.
Below are some additional security-related methods:
Whitelist the following IPs that webhooks will be sent from, noting the different environments:
When creating a webhooks POST endpoint, use an obfuscated URL to ensure it cannot be easily accessed by an insecure source.
Secondary API call
Using the ID provided within the webhook, you can initiate another API call to fetch the resource from Zai once again. This ensures the request and response occur between both backends. Example: A webhook of GET /items/:id reaches the endpoint. In the payload, there is an ID. Using the ID, make a call to GET /items/:id to ensure the data is coming from the Zai API.
Verify webhook signatures to ensure that events received are sent from Zai.
Webhook jobs will be automatically retried in case they fail to be delivered. Our application will automatically re-attempt to send webhook notifications to customers for up to 24 hours with an exponential backoff capability.
Estimated retry timings
1 hour & 45 minutes
7 hours & 5 minutes
28 hours & 25 minutes
In the event that the maximum number of automatic retry attempts is exhausted, we’ve maintained the ability for our internal team members to manually resend failed webhook notifications.
In the future, we will expose features to allow enhanced searching of webhooks and the ability to retrigger a failed webhook via an API.
There are a number of ways to start testing Webhooks with Zai. We recommend services such as Request Bin, Runscope and/or Webhooks.site, all of which can be used to provide a container for all webhooks to be sent to.
Updated 8 days ago