Webhooks


Webhooks allow you to receive notifications for the supported events in OnlinePajak. When one of those events is triggered, we will send a HTTP POST payload to the webhook's configured URL. Webhooks can be used to update an external resource whenever an event occurs in OnlinePajak.

Creating a Webhook

To create a webhook:

  1. Login to your Developer Account.
  2. Click on the + Create button and selct Webhook from the drop down.
  3. Enter the webhook URL to which the payload needs to be sent.
  4. Select the Company or App that you want to associate the webhook to.
  5. Select the list of events that you would like to receive notification.
  6. Optionally add any headers that you would need to be sent on the request.
  7. Optionally add a security key to generate a payload signature to be included in the HTTP request header.

Webhooks can be associated with your OnlinePajak company or any of your Apps.

Webhook associated with OnlinePajak Company

When a webhook is associated with an OnlinePajak company, we will send the HTTP POST payload for all the configured events for the company regardless of the origin of data. E.g. If you have configured a webhook to receive notification for the PPN Invoice Approved event, we will send the webhook payload to the configured URL whenever an invoice is approved in OnlinePajak regardless of how the invoice was created in OnlinePajak.

Webhook associated with App

When a webhook is associated with an app, we will send the HTTP POST payload for all the configured events for the data originating from that App. E.g. If you have configured a webhook to receive notification for the PPN Invoice Apporved event, we will send the webhook payload to the configured URL whenever an invoice, that is created from the App is approved in OnlinePajak.

Webhook Security

There are multiple ways to secure your webhook.

  1. Static headers

You can add one or more HTTP headers to the webhook that will always be send along with the payload. E.g. you can add an API_KEY header with a specific value, which will be included in the HTTP post request.

  1. Payload Signature If you have added a Security key for the webhook, we will send a HTTP header (x-op-signature) which is a sha1 hash of the paylad using the security key. You can compute the hash again using the Http request body and the security key and compare the values to validate the Request.

Below is a snippet of code in NodeJs to generate the signature.

        require('crypto')
        .createHmac('sha1', securityKey)
        .update(payload)
        .digest('hex');

List of Events and Payloads

The list of supported Events and the corresponding payload format is documented here