Skip to main content

Webhooks

Set up webhooks to receive real-time notifications for order and store events. Webhook v2 supports multiple endpoints, granular event selection, and signature verification.

Written by Help

Webhook v1 is being deprecated. Platform API v1 and webhook v1 will be turned off at the end of June. If you are still using webhook v1, please migrate to webhook v2 (described below) as soon as possible to avoid any interruption.

Webhooks let you receive real-time HTTP notifications whenever an order is created or updated in your Take App store. You can use webhooks to connect Take App to your own backend systems, automate workflows, or integrate with third-party tools — no polling required.

Setting up webhooks

  1. Go to Settings → Apps → Webhooks

  2. Click Add endpoint and enter an https:// URL that accepts POST requests

  3. Select which events this endpoint should subscribe to

  4. Click Save

Each endpoint has its own signing secret. Copy it anytime from the endpoint's ⋯ → Copy signing secret menu. You can rotate the secret at any time; the old secret stops working immediately.

What's in Webhook v2

  • Multiple endpoints — Add more than one URL to receive webhook events simultaneously. Useful for sending the same event to different services.

  • Granular event selection — Choose exactly which events each endpoint subscribes to. You no longer need to receive all events at every endpoint.

  • Signature verification — Each payload is signed with your endpoint's signing secret. Verify the signature on your server to confirm the request genuinely came from Take App.

Available events

  • order.created — A new order is placed, or a draft order is activated for the first time

  • order.updated — An existing order changes — status, payment, fulfillment, or line items

The event payload reuses the same Order object returned by the Merchant API V2 Get order endpoint, so you only need to model the order shape once.

Verifying webhook signatures

Each request is signed with your endpoint's signing secret using HMAC-SHA256, sent in the X-Take-Signature header. On your server, recompute the signature over the raw request body and compare it using a constant-time comparison. Reject any requests where the signatures don't match, and reject requests whose timestamp is too old (e.g. older than 5 minutes) to defend against replays.

Webhooks use at-least-once delivery, so treat them as idempotent: use the X-Take-Delivery-Id header to ignore duplicates. Events are not guaranteed to arrive in order — use the order's updated_at field to discard stale updates.

Full specification: For payload schemas, headers, signature verification code samples (Node.js and Python), and retry behaviour, see the Webhooks API reference.

Did this answer your question?