After an application is completed, if a webhook URL is configured then Prelim will attempt to send a POST request to that URL. The URL must respond with a 200 or a retry will be attempted. Requests have a request_id
parameter to assist with deduplication of events.
Signature verification is highly recommended to authenticate these requests - you should have been provided with the HMAC key by your Prelim administrator.
POST body for webhooks
{
"data": {
"request_id": "f9ca65da-0527-4ea2-a357-2ba8a95b1a8e",
"event_type": "APPLICATION_COMPLETED",
"properties": {
"application_id": "9c5a9376-10ec-428c-accb-7e9c1bafec66"
}
}
}
Signatures
Prelim's webhook signatures are based on Stripe's - if you've implemented HMAC signature verification before, you're ready to verify Prelim signatures.
The Prelim-Signature header included in each signed event contains a timestamp and one or more signatures. The timestamp is prefixed by t=, and each signature is prefixed by a scheme. Schemes start with v, followed by an integer. Currently, the only valid live signature scheme is v1.
Prelim-Signature: t=1492774577, v1=5257a869e7ecebeda32affa62cdca3fa51cad7e77a0e56ff536d0ce8e108d8bd
Prelim generates signatures using a hash-based message authentication code (HMAC) with SHA-256. To prevent downgrade attacks, you should ignore all schemes that are not v1.