> ## Documentation Index
> Fetch the complete documentation index at: https://developer.voyado.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhooks

A webhook can be seen as a reverse API. Instead of a user polling an API endpoint in a system (Engage, for example) to check for new data, the user can instead configure an URL in that system that can be called only when there is new data. This, essentially, is a webhook.

Structurally, a webhook is just a HTTP POST to an open API. They are simpler than an API endpoint, but have less functionality.

Webhooks, for example, don't allow pushing, deleting or updating data in another system, only receiving data. When you're only sending *specific data occasionally* webhooks might be a good solution.

<Tip>
  You only receive data over a webhook when an event occurs. So if the other system doesn't call your webhook with data you can't be sure if it's because no events are occurring, or if the other system is down. Keep this in mind.
</Tip>

The advantages of webhooks are therefore:

* A simpler integration
* Less data being passed
* No polling needed
* Updates only sent when changes happen

## Webhooks currently available

Currently these webhooks can be used in Engage:

<AccordionGroup>
  <Accordion title="Contact preferences for email changed">
    This webhook with the ID `contact.acceptsEmail.changed` is triggered whenever the `acceptsEmail` preference changes for an already existing contact.
  </Accordion>

  <Accordion title="Contact preferences for SMS changed">
    This webhook with the ID `contact.acceptsSms.changed` is triggered whenever the `acceptsSms` preference changes for an already existing contact.
  </Accordion>

  <Accordion title="Contact preferences for postal changed">
    This webhook with the ID `contact.acceptsPostal.changed` is triggered whenever the `acceptsPostal` preference changes for an already existing contact.
  </Accordion>

  <Accordion title="Contact consent changed">
    The webhook with the ID `contact.consent.changed` is triggered for changes in consent-typed fields on a contact.
  </Accordion>

  <Accordion title="Points - added">
    This webhook with the ID `loyalty.addPoints` is triggered whenever points are added to a contact via the Engage UI or through an automation. The transaction is sent in the webhook.

    <Warning>
      This is used *only* for customers using the point follower solution.
    </Warning>
  </Accordion>

  <Accordion title="Points - balance updated">
    This webhook with the ID `point.balance.updated` is triggered whenever a contact's point balance has changed.
  </Accordion>

  <Accordion title="Vouchers - created">
    This webhook with the ID `reward.voucher.created` is triggered whenever a reward voucher is created for a contact.
  </Accordion>

  <Accordion title="Multichannel promotion assigned">
    This webhook with the ID `promotion.multichannel.assigned` is triggered when a multichannel promotion is assigned to a contact in Engage.
  </Accordion>

  <Accordion title="Contact created">
    This webhook with the ID `contact.created` is triggered whenever a new contact is **created** in Engage.
  </Accordion>

  <Accordion title="Contact updated">
    This webhook with the ID `contact.updated` is triggered whenever a new contact is **updated** in Engage.
  </Accordion>

  <Accordion title="Contact deleted">
    This webhook with the ID `contact.deleted` is triggered whenever a new contact is **deleted** in Engage.
  </Accordion>
</AccordionGroup>

Read more about how each webhook event can actually be used in the use-cases article:

<Card title="See the webhook use-cases" href="/docs/webhooks/webhook-use-cases" icon="https://mintcdn.com/voyado/Ns4bBcK3LNctK_Un/icons/developer-link.png?fit=max&auto=format&n=Ns4bBcK3LNctK_Un&q=85&s=fbd08f956358ab12f664a7158e1a1399" horizontal width="128" height="128" data-path="icons/developer-link.png" />

<Warning>
  Even though you are free to configure subscriptions to all the available events, you'll still need to reach out to your Voyado Account Manager or Voyado support to activate the events that you want to subscribe to, so that the data actually gets sent from Engage.
</Warning>

## Requirements

Here are the various requirements for working with webhooks in Engage.

### Basic client requirements

To receive webhooks from Engage you will need to develop and deploy a web service. This is basically an API with a POST endpoint. It's common to use one service for all webhooks and then distributes the incoming events internally to your different systems.

<Tip>
  When developing your webhooks, a service like [Svix Play](https://www.svix.com/play) or [ngrok](https://ngrok.com/) can be used to receive webhooks from the internet on your local development machine.
</Tip>

Your web service must be accessible over the internet. Fixed source IP addresses can be used if your endpoint is behind a firewall or NAT.

There should be no authentication at the receiving endpoint. Instead, you'll verify that the events received are sent from Voyado Engage using signatures and a shared signing secret.

The service you provide must be able to scale with the load.

Voyado's webhooks service provider Svix has good documentation on how to consume webhooks.

<Card title="How to consume webhooks using Svix" href="https://docs.svix.com/receiving/introduction" icon="right" horizontal />

### Technical client requirements

You, the client, must develop functionality to verify the webhooks are from the correct sender.

<Card title="How to verify payload using Svix" href="https://docs.svix.com/receiving/verifying-payloads/why" icon="right" horizontal />

Voyado's webhooks service (Svix) has SDKs and libraries to handle most of what is needed. Libraries are available in Go, Python, Typescript/Javascript, Java, Kotlin, Ruby, C# (dotnet), Rust and PHP.

<Card title="Code libraries available for Svix" href="https://github.com/svix/svix-webhooks/" icon="right" horizontal />

You can see source IP addresses [here](https://docs.svix.com/receiving/source-ips). This integration uses the EU region.

It's possible to add custom headers to webhooks and also rate limiting, if needed.

If you want to use the optional feature of end-to-end encryption, you must develop functionality to decrypt the payload data (in the same way as with soft identification.

<Card title="Read more soft identification" href="/docs/contacts/identify-contact/soft-identification" icon="https://mintcdn.com/voyado/Ns4bBcK3LNctK_Un/icons/developer-link.png?fit=max&auto=format&n=Ns4bBcK3LNctK_Un&q=85&s=fbd08f956358ab12f664a7158e1a1399" horizontal width="128" height="128" data-path="icons/developer-link.png" />

### Legal requirements

<Warning>
  When you are implementing webhooks in Engage and move to a production environment, you'll need to approve Svix (Voyado's webhooks provider) as a GDPR sub-processor.
</Warning>

<Card title="Read about GDPR sub-processors" href="https://www.gdprsummary.com/gdpr-definitions/sub-processor/" icon="right" horizontal />

### Security considerations

The security involved in using the webhooks solution can be seen as many nested layers.

1. **The webhook itself**: No security.
2. **Signing the webhook message** with Signing Secret: The recipient can use this to verify that the webhook comes from Voyado. The Signing Secret is found in the portal (meaning that Svix controls it). The client can rotate the key whenever they want.
3. **IP lock**: By using this, messages can only be accepted from specific IP addresses.
4. **Payload encryption**: All data from Engage is encrypted with a key that only Voyado and the client know. It is configured in Engage, meaning that Svix cannot read any of the data that passes through it.

<Warning>
  While it is the client themselves who decides how many layers to implement, layers 1 and 2 above are the absolute minimum.
</Warning>

## Setting up a webhook in Engage

Once you have created your webhooks, you'll need to set them up in Engage. The steps are:

<Steps>
  <Step title="Enable webhooks in Engage">
    Contact your Voyado account manager to enable webhooks in your Engage instance. Depending on your agreement, a supplement might be required. The webhooks module must then be activated in the Engage back-end, and the correct permissions granted to users.
  </Step>

  <Step title="Configure client endpoint">
    Now you'll configure the client endpoint in the Engage UI.

    Go to **Administration/Webhooks Dashboard** to see the Webhooks already set up.

    Then select **+ Add Endpoint** to add another.

    <Frame caption="Webhooks already set up">
      <img src="https://mintcdn.com/voyado/PI02xvBhFqUrWmu9/images/webhooks-02.png?fit=max&auto=format&n=PI02xvBhFqUrWmu9&q=85&s=07d86069f7a5966e87b07fc523d2734b" alt="Webhooks already set up" width="1266" height="881" data-path="images/webhooks-02.png" />
    </Frame>
  </Step>

  <Step title="Choose events to use">
    After adding your endpoint, select it and then choose which event you want to send to it:

    <Frame caption="Choose event to send">
      <img src="https://mintcdn.com/voyado/PI02xvBhFqUrWmu9/images/webhooks-03.png?fit=max&auto=format&n=PI02xvBhFqUrWmu9&q=85&s=8f31d7d4f838f75ba4fdb63a00aa1977" alt="Choose event to send" width="1739" height="876" data-path="images/webhooks-03.png" />
    </Frame>
  </Step>

  <Step title="Add verification and encryption">
    Get the Signing Secret used for verification, as well as the Payload Encryption Key (if you are using it) from your Voyado account manager. When sending these to somebody else, be careful to use the same trusted method as when sharing API-keys. The signing secret is created and handled by Svix, and can be rotated if needed.

    <Frame caption="Choose event to send">
      <img src="https://mintcdn.com/voyado/PI02xvBhFqUrWmu9/images/webhooks-04.png?fit=max&auto=format&n=PI02xvBhFqUrWmu9&q=85&s=c552d552c53fe1705bbbc605b13f0ffb" alt="Choose event to send" width="1263" height="880" data-path="images/webhooks-04.png" />
    </Frame>
  </Step>

  <Step title="Test your webhook">
    You can use the “Testing” functionality in Svix to send test-events to the endpoint. Check the log for errors.
  </Step>

  <Step title="Configure a rate limit (optional)">
    If you need it, configure a rate limit so the client endpoint can handle the load.
  </Step>

  <Step title="Configure a custom header(optional)">
    You can also choose to configure a custom header with some kind of token to further increase security.
  </Step>
</Steps>