PrepBusiness supports webhooks to notify external systems when events occur (such as shipment updates or inventory changes). Webhooks can be configured by both merchants and warehouses.

Setting Up a Webhook

Webhooks can be configured from two places depending on who is setting them up:

• Merchants: Merchant Settings → Integrations
• Warehouses: Account Settings → Integrations → Webhooks

To create a webhook:

1. Navigate to the appropriate settings page above
2. Enter your webhook URL and select the events you want to subscribe to
3. Click Save
4. After saving, the HMAC secret is displayed once. Copy and store it securely — it will not be shown again.

Verifying Webhook Signatures

Every webhook request is signed with HMAC-SHA256 so you can verify it came from PrepBusiness.

• The signature is sent in the Signature HTTP header
• The value is an HMAC-SHA256 hex digest computed over the JSON-encoded request body using your webhook's secret

To verify a webhook request, compute the HMAC-SHA256 hash of the raw request body using your secret and compare it to the value in the Signature header.

Example (PHP)

$payload = file_get_contents('php://input');
$secret = 'your-webhook-secret';
$expected = hash_hmac('sha256', $payload, $secret);
$signature = $_SERVER['HTTP_SIGNATURE'] ?? '';

if (!hash_equals($expected, $signature)) {
    http_response_code(401);
    exit('Invalid signature');
}

Important Notes

• The HMAC secret is only displayed once when the webhook is first created. If you lose it, you will need to delete and recreate the webhook to get a new secret.
• Always verify the signature before processing webhook payloads to ensure the request is authentic.
• Webhook requests are sent as POST requests with a JSON body.