Skip to main content
Webhooks let your systems react to Tybrite events the moment they happen — no polling, no lag. When an order is paid, a payment fails, or a customer signs up, Tybrite sends an HTTP POST to your registered endpoint containing the full event payload.
Dashboard: You can manage webhook endpoints directly from Settings → Webhooks in your Tybrite dashboard, or programmatically via the API and SDK.

Quick start

1. Create an endpoint
2. Verify + handle deliveries
3. Send a test event

Event catalogue

All events follow the same envelope shape — only type and data.object vary.

Orders

Payments

Customers

Inventory & catalog

Cart & checkout

Gift cards

Promotions

Content & collections

Store lifecycle & configuration

Feature availability

The Content & collections, Store lifecycle, and Feature availability events describe a store growing rather than a single transaction. They are what an automation tool listens to when it keeps a storefront in step with the store — adding a promo banner the moment a promotion goes live, a reviews block when the first reviews are approved, or a “shop by collection” row when a collection becomes homepage-eligible. See the automated workflows guide.

Catalog sync & syndication

Wholesale (B2B)

For stores with wholesale enabled, the B2B lifecycle also emits events: b2b.rfq.created, b2b.quote.sent / .accepted / .rejected, b2b.po.issued / .confirmed / .fulfilled, and b2b.invoice.issued / .paid / .overdue.

Event payload shape

Every event uses a consistent envelope:
previous_attributes is present on update events and contains only the fields that changed — useful for transition-based logic (e.g. “did payment_status just flip to paid?”).

Signature verification

Every delivery carries:
The signed string is ${timestamp}.${raw_request_body}. The secret is the signing_secret returned when the endpoint was created (per-endpoint, not the store HMAC secret).
Use the raw body. JSON parsers may reformat whitespace or key ordering, producing a different byte sequence that will fail verification. Capture the raw bytes before parsing.
Serverless function example:
Next.js App Router example:

Delivery contract

Always respond quickly. Return 2xx within 30 seconds and do heavy processing asynchronously (queue it). If your handler times out, Tybrite treats the delivery as failed and retries.

Idempotency

Because delivery is at-least-once, your handler may receive the same event more than once on retries. Guard with a seen-events store:

Managing endpoints via the Dashboard

Go to Settings → Webhooks in your Tybrite dashboard to:
  • Create, edit, disable, or delete endpoints
  • Choose which event types to subscribe to (or select “All events”)
  • Send a test event with one click to verify your handler
  • View per-endpoint delivery statistics and the full event log
  • Retry failed deliveries

Managing endpoints via the API

See the WebhooksService SDK reference or the API Reference for the complete endpoint documentation.

Security checklist

  • Verify X-Tybrite-Signature on every delivery before processing
  • Reject requests where |now − timestamp| > 300s (replay protection)
  • Use timingSafeEqual for constant-time comparison (prevents timing attacks)
  • Store signing_secret in a secrets manager — never in source code
  • Return 2xx immediately and process events asynchronously
  • Implement idempotency using event.id
  • Use HTTPS with a valid TLS certificate on your endpoint