Links

Webhooks

We use several webhooks to update you and your customer near real-time.

Authentication

Most of the time webhooks are public-facing http endpoints. So how can you be sure that a request comes from Cottoncast? Each request we sent to your webhook is signed based on the request body.
Each request coming from Cottoncast will have a header Cottoncast-Authentication. A Hash is calculated based on the body content using the secret in your Cottoncast account.

Verifying the origin of Webhook requests

$my_secret = 'CjXttYCtXJyDoyUxed8j'; // You can find this on the saleschannel page in your account.
$header_hmac = $_SERVER['HTTP_COTTONCAST_AUTHENTICATION'];
$body_hmac = hash_hmac('sha256', file_get_contents('php://input'),$my_secret);
if ($header_hmac !== $body_hmac)
throw new Exception("Unauthorized");

Response codes

We monitor the requests we make to your webhooks. Returning a useful status code will help us and and yourself to identify problems as quickly as possible.
A 200 response is considered a successful delivery of the message.
Code
Description
200
OK
202
Accepted
400
Bad Request
401
Unauthorized
404
Not found
405
Method not found
503
Service Unavailable
Last modified 1yr ago