API Reference
Webhooks Guide
Webhooks are a powerful way to stay in sync with data changes. Instead of polling the API, Cobra Connect Distribution will push data to your URL in real-time.
Configuration
You can manage your webhook endpoints in the Developer Dashboard. You can register up to 10 endpoints. Each endpoint can filter by specific event topics or listen to all events.
- Supported schemes:
https://(required for production) - Timeouts: We wait 10 seconds for a 2xx response.
- Retries: We use exponential backoff for up to 24 hours.
Security & Verification
It is critical to verify that requests originate from Cobra Connect Distribution to prevent replay attacks or spoofing.
🔒
HMAC SignatureEvery webhook request includes an
X-WC-Webhook-Signature header. This is a Base64 encoded HMAC-SHA256 hash of the request body, signed with your Webhook Secret.Example: Verifying Signature (Node.js)
const crypto = require('crypto');
// 1. Get the signature from headers
const signature = req.headers['x-wc-webhook-signature'];
// 2. Get your secret (from Dashboard)
const secret = process.env.WEBHOOK_SECRET;
// 3. Calculate hash of the raw body
const hash = crypto
.createHmac('sha256', secret)
.update(req.rawBody) // Important: Use raw body, not parsed JSON
.digest('base64');
// 4. Compare
if (hash === signature) {
// Verified!
} else {
// Reject
}Retry Policy
| Attempt | Delay |
|---|---|
| 1 | Immediate |
| 2 | 60 seconds |
| 3 | 5 minutes |
| 4 | 30 minutes |
| 5+ | Exponential backoff up to 24h |