html.surf
Sign in
Docs /Webhooks API Dashboard →

Webhooks API

Webhook endpoints for receiving notifications from external platforms and sending real-time events to your applications.

Incoming Webhooks

These endpoints receive webhooks from external platforms to trigger download token generation:

Shopify Orders

POST /webhooks/{orgId}/shopify

Receives order completion notifications from Shopify stores.

WooCommerce Orders

POST /webhooks/{orgId}/woocommerce

Handles order completions from WooCommerce WordPress sites.

Stripe Payments

POST /webhooks/stripe

Processes successful payments from Stripe checkout sessions.

FastSpring Orders

POST /webhooks/{orgId}/fastspring

Processes order completions from FastSpring.

VibraCart Pro Orders

POST /webhooks/{orgId}/vibracartpro

Receives order notifications from VibraCart Pro stores.

Download Completion (internal)

POST /webhooks/{orgId}/download-complete

Called by the Continuata downloader (browser or Bridge) at the end of a session to mark the token as used and write an activity log entry. You don't normally call this yourself — it's documented for completeness.

Webhook Security

Signature Verification

All webhooks include HMAC signatures for verification:

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

// Usage
const isValid = verifyWebhook(
  req.body,
  req.headers['x-continuata-signature'],
  process.env.CONTINUATA_WEBHOOK_SECRET
);

Webhook Examples: See platform-specific webhook implementations in our Shopify and Stripe integration guides.