We use several webhooks to update you and your customer near real-time.

Authentication

Most of the time webhooks are public-facing http endpoints. So how can you be sure that a request comes from Cottoncast? Each request we sent to your webhook is signed based on the request body.

Each request coming from Cottoncast will have a header Cottoncast-Authentication. A Hash is calculated based on the body content using the secret in your Cottoncast account.

Verifying the origin of Webhook requests

$my_secret = 'CjXttYCtXJyDoyUxed8j'; // You can find this on the saleschannel page in your account.
$header_hmac = $_SERVER['HTTP_COTTONCAST_AUTHENTICATION'];
$body_hmac = hash_hmac('sha256', file_get_contents('php://input'),$my_secret);

if ($header_hmac !== $body_hmac) 
  throw new Exception("Unauthorized");

Response codes

We monitor the requests we make to your webhooks. Returning a useful status code will help us and and yourself to identify problems as quickly as possible.