# Webhooks

We use several webhooks to update you and your customer near real-time.

## Authentication

Most of the time webhooks are public-facing http endpoints. So how can you be sure that a request comes from Cottoncast? Each request we sent to your webhook is signed based on the request body.

Each request coming from Cottoncast will have a header **Cottoncast-Authentication**. A Hash is calculated based on the body content using the secret in your Cottoncast account.

#### Verifying the origin of Webhook requests

```php
$my_secret = 'CjXttYCtXJyDoyUxed8j'; // You can find this on the saleschannel page in your account.
$header_hmac = $_SERVER['HTTP_COTTONCAST_AUTHENTICATION'];
$body_hmac = hash_hmac('sha256', file_get_contents('php://input'),$my_secret);

if ($header_hmac !== $body_hmac) 
  throw new Exception("Unauthorized");


```

## Response codes

We monitor the requests we make to your webhooks. Returning a useful status code will help us and and yourself to identify problems as quickly as possible. 

{% hint style="info" %}
A 200 response is considered a successful delivery of the message.
{% endhint %}

| Code | Description         |
| ---- | ------------------- |
| 200  | OK                  |
| 202  | Accepted            |
| 400  | Bad Request         |
| 401  | Unauthorized        |
| 404  | Not found           |
| 405  | Method not found    |
| 503  | Service Unavailable |