Webhooks (sometimes also called "Reverse APIs") are Marketplacer initiated events that we send to a customer endpoint. These events relate to the creation, update or destruction of data within Marketplacer, e.g.:
- Adverts / Variants
- Invoices / Orders
- Shipments
- Refund Requests
For more information on what webhooks are, how to set them up and the event scenarios that can trigger them, see Webhooks overview on the Marketplacer Developer Portal.
Can customers "whitelist" the webhook calls?
In short, no.
Customers often ask whether they can "whitelist the IP Address" that our webhooks are sent from. The reason for this request is based on the desire to only allow authorised traffic, (those i.e. requests that come from Marketplacer), to reach the customer endpoint.
Given the architecture of the Marketplacer platform, i.e. cloud-native & container-based, we do not make use of static IP addressing and therefore attempting to whitelist based on a static IP address is not possible.
What's the alternative?
Customers can add "authentication headers" to the webhooks they configure in marketplacer. This can take any form, but common approaches are:
- Use basic authentication
- Use key-based (bearer) authentication
Either way this would be configured in the webhook header pay load as shown below:
How to edit webhook headers
- Login to the Operator or Seller portal
- Operator Portal: Configuration-> Webhooks
- Seller Portal: "3 Dots in top right" -> API & Integrations -> webhooks
- Select the edit icon for the webhook you want to configure (or create a new one)
- Scroll down to Headers (optiona)
- You can then enter a standard JSON attribute / value pair, e.g.:
{
"auth-key": "jhjkfhdkhfkdhsfhdskhfs"
}
Related articles