OuterSpatial Partner Events API

Stage: production

A secure, scalable webhook service for processing partner integration events with real-time authentication and rate limiting.

Key Features

Secure Authentication

HMAC-SHA256 signature verification ensures that only authenticated partners can send events to your system.

Rate Limiting

Built-in per-partner rate limiting prevents abuse and ensures fair usage across all integrations.

IP Allowlisting

Optional IP address filtering adds an extra layer of security for sensitive partner integrations.

Audit Logging

Comprehensive audit trail of all authentication attempts and API actions for compliance and debugging.

Async Processing

Events are acknowledged immediately and processed asynchronously for optimal performance.

Event Status Tracking

Monitor the processing status of events with detailed error messages and retry capabilities.

How It Works

  1. Partner Registration: Partners receive an API key and secret for authentication
  2. Event Submission: Partners send JSON payloads with proper authentication headers
  3. Validation: The service validates signatures, timestamps, and rate limits
  4. Processing: Valid events are stored and processed asynchronously
  5. Status Tracking: Partners can query the status of their submitted events

API Endpoints

POST/api/webhooks/events

Submit webhook events for processing

Required Headers:

  • x-api-key - Your partner API key
  • x-webhook-signature - HMAC-SHA256 signature
  • x-timestamp - Unix timestamp (within 5 minutes)

GET/api/webhooks/status

Check the processing status of submitted events

Query Parameters:

  • eventId - The ID of the event to check

GET/api/health

Health check endpoint for monitoring service availability

Authentication

Signature Generation

Generate the webhook signature using HMAC-SHA256:

# Generate timestamp
TIMESTAMP=$(date +%s)

# Create signature payload
PAYLOAD='{"id":"evt_123","type":"order.created","data":{...}}'
SIGNATURE_PAYLOAD="${TIMESTAMP}.${PAYLOAD}"

# Generate HMAC-SHA256 signature
SIGNATURE=$(echo -n "$SIGNATURE_PAYLOAD" | \
  openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)

# Include in request headers
x-webhook-signature: sha256=${SIGNATURE}
x-timestamp: ${TIMESTAMP}

JavaScript Example

const crypto = require('crypto');

async function sendWebhookEvent(apiKey, secret, eventData) {
  // Generate timestamp
  const timestamp = Math.floor(Date.now() / 1000).toString();
  
  // Prepare the payload
  const payload = JSON.stringify(eventData);
  
  // Create signature
  const signaturePayload = `${timestamp}.${payload}`;
  const signature = crypto
    .createHmac('sha256', secret)
    .update(signaturePayload)
    .digest('hex');
  
  // Send the request
  const response = await fetch('https://api.example.com/api/webhooks/events', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'x-api-key': apiKey,
      'x-webhook-signature': `sha256=${signature}`,
      'x-timestamp': timestamp
    },
    body: payload
  });
  
  return response.json();
}

// Example usage
const event = {
  id: 'evt_' + Date.now(),
  type: 'order.created',
  data: {
    orderId: 'ORD-456',
    amount: 99.99
  }
};

sendWebhookEvent('your_api_key', 'your_secret', event)
  .then(result => console.log('Event sent:', result))
  .catch(error => console.error('Error:', error));

cURL Example

curl -X POST https://api.example.com/api/webhooks/events \
  -H "Content-Type: application/json" \
  -H "x-api-key: your_api_key" \
  -H "x-webhook-signature: sha256=abc123..." \
  -H "x-timestamp: 1635360000" \
  -d '{
    "id": "evt_123",
    "type": "order.created",
    "data": {
      "orderId": "ORD-456",
      "amount": 99.99
    }
  }'

Response Status Codes

Best Practices

Test Webhook Endpoint

Use this tool to test the webhook endpoint with your partner credentials.

Check Event Status

Check the processing status of a previously submitted event.