Skip to main content

Webhooks and Callbacks

APIMatic's SDKs provide comprehensive support for webhooks and callbacks, enabling developers to handle asynchronous API events with type-safe processing and built-in security features. This capability simplifies the integration of event-driven workflows and real-time notifications in modern applications.

Webhooks and Callbacks Configuration in OpenAPI

Here is an example of how to define webhooks and callbacks in your OpenAPI specification:

paths:
/payments:
post:
summary: Create a payment
callbacks:
paymentCallback:
'{$request.body#/callbackUrl}':
post:
summary: Payment status callback
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
status:
type: string

webhooks:
rejectedPayment:
...
verifiedPayment:
post:
summary: Verified payment status webhook
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
paymentId:
type: string
status:
type: string
...

For advanced configuration options including signature verification and custom grouping, APIMatic also supports webhook and callback OpenAPI extensions that provide enhanced functionality beyond the standard OpenAPI specification.

Usage Examples

[Route("webhooks")]
[ApiController]
public class WebhooksController : ControllerBase
{
// Use the provided handler to verify and parse the incoming event
private readonly PaymentHandler handler = new PaymentHandler("hmac-secret-key");

[HttpPost]
public async Task<IActionResult> ReceiveEvent()
{
// Create the HttpRequestData from the incoming HttpRequest
var eventRequest = HttpRequestData.FromAspNetCoreParams(
Request.Method,
Request.Scheme,
Request.Host.ToString(),
Request.Path.ToString(),
Request.QueryString.ToString(),
Request.Headers,
Request.Body,
Request.Query,
Request.Cookies,
Request.Protocol,
Request.ContentType,
Request.ContentLength
);

var eventParsingResult = await handler.VerifyAndParseEventAsync(eventRequest);
var result = eventParsingResult.MatchSome<string>(
verifiedPaymentEvent: payment => $"Payment verification received {payment}",
rejectedPaymentEvent: payment => $"Payment rejection received {payment}",
signatureVerificationFailed: error => $"Signature verification failed {error}",
unknown: () => "Unknown event received"
);

return Ok();
}
}

Benefits

  • Type-Safe Event Handling: Automatically generated handlers ensure type safety when processing webhook/callback events.
  • Built-in Signature Verification: Support for HMAC-based signature verification and payload validation to ensure authenticity and integrity.
  • Event Type Detection: Intelligent parsing and narrowing support multiple event or response types within the same endpoint.
  • Simplified Integration: Eliminates the need for custom parsing and validation logic when working with asynchronous flows.
  • Error Handling: Comprehensive error handling for malformed payloads, signature verification failures, and unknown event types.

Error Handling

The SDK provides built-in error handling for common issues encountered in both webhooks and callbacks:

Common Error Types

  • Signature Verification Failure
    This error occurs when:
    • The calculated HMAC signature doesn't match the signature provided in the headers
    • The required headers are missing
  • Unknown Event Type
    This error occurs when:
    • The request body is empty
    • The request body contains invalid or malformed JSON
    • The request body doesn't match any known event
    • The request body maps to more than one event