Webhooks
Webhooks allow your application to receive real-time notifications when events occur in the Kesk platform. Instead of polling for updates, webhooks push data to your server as events happen.
Setting Up Webhooks
1. Create a Webhook Endpoint
Set up an HTTPS endpoint on your server to receive webhook events:
// Express.js example
app.post('/webhooks/kesk', (req, res) => {
const signature = req.headers['x-kesk-signature'];
const payload = req.body;
// Verify the webhook signature
if (verifySignature(payload, signature)) {
// Process the event
handleEvent(payload);
res.status(200).send('OK');
} else {
res.status(401).send('Invalid signature');
}
});2. Register Your Webhook
Register your endpoint in the developer dashboard or via API:
curl -X POST https://api.kesk.app/v1/webhooks \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-domain.com/webhooks/kesk",
"events": ["order.created", "order.updated", "delivery.completed"]
}'Event Types
Order Events
| Event | Description |
|---|---|
order.created | A new order has been placed |
order.updated | Order status has changed |
order.cancelled | Order has been cancelled |
order.completed | Order has been delivered |
Delivery Events
| Event | Description |
|---|---|
delivery.assigned | Driver assigned to delivery |
delivery.picked_up | Order picked up from merchant |
delivery.in_transit | Delivery in progress |
delivery.completed | Delivery completed |
Payment Events
| Event | Description |
|---|---|
payment.successful | Payment processed successfully |
payment.failed | Payment failed |
payment.refunded | Refund processed |
Webhook Payload
All webhook events follow this structure:
{
"id": "evt_1234567890",
"type": "order.created",
"created_at": "2024-01-15T10:30:00Z",
"data": {
"order_id": "ord_abc123",
"status": "pending",
"total": 25.99,
"currency": "EUR"
}
}Verifying Signatures
All webhook requests include a signature in the X-Kesk-Signature header. Verify this signature to ensure the request came from Kesk:
const crypto = require('crypto');
function verifySignature(payload, signature) {
const secret = process.env.WEBHOOK_SECRET;
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(JSON.stringify(payload))
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature)
);
}Retry Policy
If your endpoint returns a non-2xx status code, we’ll retry the webhook:
- Attempt 1: Immediately
- Attempt 2: After 5 minutes
- Attempt 3: After 30 minutes
- Attempt 4: After 2 hours
- Attempt 5: After 24 hours
After 5 failed attempts, the webhook will be marked as failed and we’ll notify you via email.
Best Practices
- Return quickly: Respond with 200 within 5 seconds
- Process asynchronously: Queue events for background processing
- Handle duplicates: Implement idempotency using event IDs
- Verify signatures: Always validate webhook authenticity
- Use HTTPS: Webhook endpoints must use TLS encryption