Skip to main content

What are webhooks?

Webhooks allow Pocketsflow to push real-time notifications to your application when events occur in your account. Instead of repeatedly polling for data, webhooks notify your server the moment something happens - like a completed order, failed payment, or new subscription.

How webhooks work

1

Register your endpoint

Configure a webhook URL in your Pocketsflow dashboard (Settings → Developers → Webhooks)
2

Events occur

Something happens in your account (order completed, subscription created, etc.)
3

Pocketsflow sends HTTP POST

We send a POST request to your endpoint with the event data
4

Your server processes

Verify the signature, process the event, and return a 2xx status
5

Acknowledge receipt

Respond within 5 seconds to confirm successful delivery

Use cases for webhooks

Grant access to digital products

When a customer completes a purchase, automatically deliver course access, membership credentials, or license keys. 
// Example: Grant course access on order completion
if (event.type === 'order.completed') {
  const { customer, product } = event.data;
  await grantCourseAccess(customer.email, product.id);
}

Sync with your CRM

Keep customer data synchronized across HubSpot, Salesforce, or your internal systems. 
// Example: Add customer to CRM
if (event.type === 'customer.created') {
  await crm.createContact({
    email: event.data.customer.email,
    source: 'pocketsflow'
  });
}

Update subscription access

Automatically grant or revoke access when subscriptions start, pause, or cancel. 
// Example: Manage subscription access
if (event.type === 'customer.subscription.deleted') {
  await revokeSubscriptionAccess(event.data.customer.email);
}

Send custom notifications

Trigger personalized emails, Slack notifications, or SMS messages based on events. 
// Example: Send welcome email
if (event.type === 'order.completed') {
  await sendEmail({
    to: event.data.customer.email,
    template: 'welcome',
    data: event.data
  });
}

Track metrics and analytics

Feed data into your analytics platform or internal dashboards. 
// Example: Track conversion in analytics
if (event.type === 'order.completed') {
  analytics.track('Purchase Completed', {
    revenue: event.data.amount,
    productId: event.data.product.id
  });
}

Creating a webhook

Step 1: Set up your endpoint

Create an HTTPS endpoint that can receive POST requests. Your endpoint must:
  • ✅ Accept POST requests with JSON payloads
  • ✅ Use HTTPS (required for security)
  • ✅ Respond within 5 seconds
  • ✅ Return a 2xx status code (200, 201, 204)
  • ✅ Verify webhook signatures (recommended)
Example endpoint (Express.js): 
const express = require('express');
const app = express();

app.post('/webhooks/pocketsflow', express.raw({type: 'application/json'}), (req, res) => {
  const signature = req.headers['x-pocketsflow-signature'];
  const payload = req.body;

  // Verify signature (see Authentication docs)
  if (!verifySignature(payload, signature, WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }

  const event = JSON.parse(payload);

  // Process the event
  console.log('Received event:', event.type);

  // Acknowledge receipt
  res.status(200).send('Webhook received');
});

Step 2: Register in your dashboard

  1. Navigate to Settings → Developers → Webhooks
  2. Click Create Webhook
  3. Enter your endpoint URL (must be HTTPS)
  4. Select the events you want to receive
  5. Add a description (optional)
  6. Click Create
You’ll receive a webhook secret - save this securely to verify signatures.

Step 3: Test your webhook

Use the “Send Test Event” button in the dashboard to verify your endpoint is working correctly. Check:
  • ✅ Your server receives the request
  • ✅ Signature verification passes
  • ✅ You return a 2xx status code
  • ✅ Response time is under 5 seconds

Webhook configuration

Endpoint URL requirements

  • HTTPS only - HTTP endpoints are not supported for security
  • Publicly accessible - Must be reachable from the internet
  • Port 443 or 80 - Standard HTTPS/HTTP ports
  • Valid SSL certificate - Self-signed certificates not supported

Event selection

Choose which events to receive:
  • All events - Receive every event type (use with caution)
  • Specific events - Only receive selected event types (recommended)
You can update event selections at any time without creating a new webhook.

Multiple webhooks

You can register multiple webhook endpoints:
  • Separate webhooks for different services (CRM, email, etc.)
  • Staging vs production endpoints
  • Development and testing webhooks

Managing webhooks via API

You can also manage webhooks programmatically:

Create a webhook

POST /webhooks
Authorization: Bearer pk_live_...
Content-Type: application/json

{
  "url": "https://yoursite.com/webhooks",
  "events": ["order.completed", "customer.created"],
  "description": "Production webhook"
}

List webhooks

GET /webhooks
Authorization: Bearer pk_live_...

Update webhook

PATCH /webhooks/{id}
Authorization: Bearer pk_live_...
Content-Type: application/json

{
  "events": ["order.completed"],
  "active": true
}

Delete webhook

DELETE /webhooks/{id}
Authorization: Bearer pk_live_...

Webhook delivery

Timeout

Webhooks have a 5-second timeout. If your endpoint doesn’t respond within this time, the delivery is considered failed. Best practices:
  • Acknowledge receipt immediately (return 200)
  • Process events asynchronously in the background
  • Use a job queue for long-running tasks
app.post('/webhooks', (req, res) => {
  // Acknowledge immediately
  res.status(200).send('OK');

  // Process asynchronously
  processWebhook(req.body).catch(console.error);
});

Retry policy

Note: Pocketsflow currently does not automatically retry failed webhook deliveries. Implement your own retry logic or use a queuing system to handle failures.
Recommended approach: 
// Store webhook for retry if processing fails
app.post('/webhooks', async (req, res) => {
  res.status(200).send('OK'); // Acknowledge first

  try {
    await processWebhook(req.body);
  } catch (error) {
    // Store for retry
    await db.failedWebhooks.create({
      payload: req.body,
      error: error.message,
      retryCount: 0
    });
  }
});

Delivery logs

View webhook delivery history in your dashboard:
  1. Go to Settings → Developers → Webhook Logs
  2. View delivery status, timestamps, and responses
  3. Retry individual deliveries manually if needed
  4. Debug with full request/response data

Security

Signature verification

All webhooks include a signature header to verify authenticity: Header: X-Pocketsflow-Signature Verify every webhook request to prevent forgery. See Authentication & Security for implementation details.

HTTPS requirement

Webhooks are only sent to HTTPS endpoints to prevent:
  • Man-in-the-middle attacks
  • Eavesdropping on sensitive data
  • Payload tampering

IP whitelisting

For additional security, you can whitelist Pocketsflow’s IP addresses in your firewall:
Contact support@pocketsflow.com for current webhook IP ranges

Testing webhooks

Local development

Use tools to expose your local server for webhook testing: Option 1: ngrok 
ngrok http 3000
# Use the HTTPS URL (e.g., https://abc123.ngrok.io/webhooks)
Option 2: LocalTunnel 
lt --port 3000
Option 3: Cloudflare Tunnel 
cloudflared tunnel --url localhost:3000

Test mode

Use test mode webhooks during development:
  • Test API keys trigger test webhooks
  • No real transactions
  • Safe for experimentation

Manual testing

Trigger test events from the dashboard:
  1. Go to Settings → Developers → Webhooks
  2. Click on your webhook
  3. Click Send Test Event
  4. Select event type
  5. Review the response

Best practices

1. Verify signatures

Always verify webhook signatures to prevent forgery.

2. Use idempotency keys

Process each webhook only once using the event ID: 
const processedEvents = new Set();

function processWebhook(event) {
  if (processedEvents.has(event.id)) {
    return; // Already processed
  }

  // Process event...
  processedEvents.add(event.id);
}

3. Return 2xx immediately

Acknowledge receipt before processing: 
app.post('/webhooks', (req, res) => {
  res.status(200).send('OK'); // Do this first

  // Then process asynchronously
  handleEvent(req.body).catch(console.error);
});

4. Handle failures gracefully

Store failed events for manual review and retry.

5. Monitor webhook health

Track delivery success rates and response times.

6. Keep secrets secure

Store webhook secrets in environment variables, never in code: 
const WEBHOOK_SECRET = process.env.POCKETSFLOW_WEBHOOK_SECRET;

Troubleshooting

Common issues

Webhooks not being received:
  • ✓ Verify URL is HTTPS and publicly accessible
  • ✓ Check firewall/security group rules
  • ✓ Ensure endpoint returns 2xx status
  • ✓ Review webhook logs in dashboard
Signature verification failing:
  • ✓ Use the correct webhook secret
  • ✓ Verify payload as raw bytes, not parsed JSON
  • ✓ Check for whitespace or encoding issues
Timeouts:
  • ✓ Respond within 5 seconds
  • ✓ Process events asynchronously
  • ✓ Optimize endpoint performance
Duplicate events:
  • ✓ Implement idempotency using event IDs
  • ✓ Check for multiple webhook registrations

Next steps

Webhook Events

Explore all available event types and their payloads

Authentication & Security

Learn how to verify webhook signatures

Code Examples

See webhook implementations in multiple languages

Consuming Webhooks

Best practices for handling webhooks at scale