Webhooks
Webhooks bring efficiency and responsiveness to solution architectures, facilitating event-based flows among applications and services. In Socotra Insurance Suite, they are customized callbacks that allow external services to receive real-time notifications when specific events occur. This functionality enables seamless integrations that can react to changes as quickly as possible.
Managing Webhooks
You create a webhook with a POST
request to the Create Webhook endpoint, specifying the URL and event types that pertain to the webhook. The endpoint will then receive an EventResponse payload whenever the relevant event occurs. Webhooks and the Event Stream share the same EventResponse structure to describe an event.
Failure Handling
You can define a failure handling strategy for each webhook, ensuring that the system responds in a preferable way if it encounters a problem posting messages to the webhook endpoint. Strategies revolve around these questions:
For which errors should the failure handling strategy apply?
Should an endpoint (
alertEndpoint
) receive failure notices?Should the platform automatically retry on message delivery failure? If so, how many attempts (
1
to10
, default3
), and what should the time interval and pattern be (linear
orexponential
)?Should the platform persist messages that fail to be delivered? These can be retrieved later via the Diverted Events API.
If no failureHandling
is specified, the default strategy will apply:
"failureHandling": {
"triggers": [
"4xx",
"5xx",
"timeout"
],
"divert": false,
"suspend": false
}
The default specifies no retry strategy or alert endpoint and does not automatically suspend the webhook, nor does it divert failed messages for later pickup via the Diverted Events API. It effectively means “behave with indifference as to whether message delivery succeeds”.
The triggers
array can be populated with specific 400- or 500-level HTTP codes, or all in those levels ("4xx"
, "5xx"
). The special keyword "timeout"
is also recognized.
If suspend
is set to true
, it means that the webhook will be suspended automatically if it exhausts all retry attempts while trying to deliver a message. If no retry strategy is specified, no retry attempts will be made, and the webhook will be suspended following the first failure. Webhook suspension will result in an event being posted to the alertEndpoint
if one has been configured, and subsequent messages diverted if the divert
property is set to true
. Webhooks can be unsuspended with the unsuspend endpoint endpoint.
When defining a retry strategy, you may set the type
to linear
or exponential
. While linear
results in a request being made at a constant frequency specified by the interval
(in milliseconds), exponential
means that the wait period between retry attempts will grow as defined in the equation {interval}} + {attempt}^4
.
Security Features
https://
endpoints can be configured with the following:
A
secret
to be used in an HMAC signature (see RFC 2104 - Keyed-Hashing for Message Authentication) that will be supplied in thesocotra-signature
header of messages sent to that endpoint.A
tag
to label whichsecret
is currently in use. Must be between 2 and 32 characters, inclusive.An
hmacEnabled
flag that determines whether thesocotra-signature
should be derived and sent in message headers.A
secureSSL
flag that toggles TLS certificate verification. It istrue
by default.
secret
can only contain alphanumeric characters and underscores, with a length between 8 and 64 characters.
The tag
is optional, intended as a convenience that can facilitate secret rotations by ensuring that message recipients can easily identify which secret was used to generate the signature value. Even if there are in-flight messages using an old shared secret when you update the secret on the Socotra platform (with a new tag), your receiving code can identify those by the prior tag
and use the corresponding prior secret value to verify the signature.
Note
The ability to disable TLS certificate verification is provided for testing and configuration purposes. It should not be left as false
in production systems handling real customer data.
Signature Verification
The socotra-signature
header takes the following form:
socotra-signature: t=<timestamp>,v1=<signature>,tag=<tag>
timestamp
is the UTC timestamp associated with the event transmission, in milliseconds.signature
is the SHA-256 HMAC-hashed signature of the concatenated values timestamp.JSONpayload.tag. If there is no tag associated with the shared secret, then the value is derived from timestamp.JSONpayload.tag
is the optional tag name supplied inSecuritySpecification
as a label for the current shared secret.
For verification, the signature derivation can be performed with standard cryptographic library functions in all popular programming languages. Below is an example in JavaScript:
const crypto = require('crypto');
const secret = 'abracadabraabracadabraabracadabraabracadabraabracadabra';
const timestamp = '1695835536124';
const jsonPayload = '{"id":"20012343863","transactionId":"254cb37e-43c4-4102-845a-fbfc5978537d","timestamp":1695835536078,"data":{"username":"alice.lee"},"type":"login.success","username":"alice.lee"}'
const tag = 'secret-1';
const algorithm = 'sha256';
const hmac = crypto.createHmac(algorithm, secret);
hmac.write(`${timestamp}.${jsonPayload}.${tag}`);
hmac.end();
const hash = hmac.read().toString('hex');
console.log("HMAC: ", hash);
See Also
Events: List of events and data structures
Webhook API reference: Details on creating, reading, listing, updating, and deleting webhooks