We use several webhooks to update you and your customer near real-time.
Most of the time webhooks are public-facing http endpoints. So how can you be sure that a request comes from Cottoncast? Each request we sent to your webhook is signed based on the request body.
Each request coming from Cottoncast will have a header Cottoncast-Authentication. A Hash is calculated based on the body content using the secret in your Cottoncast account.
$my_secret = 'CjXttYCtXJyDoyUxed8j'; // You can find this on the saleschannel page in your account.
$header_hmac = $_SERVER['HTTP_COTTONCAST_AUTHENTICATION'];
$body_hmac = hash_hmac('sha256', file_get_contents('php://input'),$my_secret);
if ($header_hmac !== $body_hmac)
throw new Exception("Unauthorized");
We monitor the requests we make to your webhooks. Returning a useful status code will help us and and yourself to identify problems as quickly as possible.
A 200 response is considered a successful delivery of the message.