NOTE: Webhook triggers are very powerful and without proper configuration, quite dangerous. For this reason, webhooks triggers are disabled by default in Wunderautomation. To enable webhook triggers, go to Automation → Settings → General and enable webhooks.
Each webhook trigger has to have a unique link. The link consists of two parts
The webhook slug is the base URL for all incoming webhooks, it’s the first part of the webhok url after the domain name. The default value is ‘wa-hook’ but you can modify it to any value that you see fit.
Webhook unique identifier
To differentiate between webhooks, each webhook gets a unique identifier. The default identifier value is a randomized 12 character long string. Just as with the slug, you can modify this to a value you e fit. Please be aware of that WunderAuomation does not check for duplicate webhook keys. If you define two workflows with the same unique key only one of them will be executed and it’s not possible to determine which one.
The WordPress base URL, the webhook slug and the unique identifier are combined into the unique URL for a webhook.
Webhook security is very important. WunderAutomation provides three different authentication mechanisms to authenticate an incoming http request. It’s possible to use zero, one or more authentication mechanisms.
Classic HTTP basic authentication as defined in RFC 7616. The Basic authentication method is enabled by default with a random username and password.
Please note that this method sends username and password in (almost) clear text. Should only be used on sites with SSL (https) enabled.
API key in header
Authenticates by checking a given HTTP header (defined in the workflow) for the correct API key.
Please note that this method sends the API key in clear text as an http header. Should only be used on sites with SSL (https) enabled
|HTTP Header||The name of the HTTP header where WunderAutomation should look for the API key. Example: X_API_KEY|
|Value||The API key. Note that this value is unique and different for each individual webhook workflow.|
HMAC Signed payload
Authenticates by verifying that a HMAC signature of the payload (posted data) signed with a shared secret key matches with the value provided in the header. The payload is signed using the SHA-1 algorithm (as it used by ie Gitbub).
This method never sends any secrets between the client and server, it is considered the safest of the three available methods.
|HTTP Header||The name of the HTTP header where WunderAutomation should look for the signature. Example: X_HUB_SIGNATURE|
|Secret||The shared secret between the server (WunderAutomation) and the client (the application / script that calls the webhook).|
Sending a valid HTTP request to a webhook using HMAC signed payload authentication:
A webhook trigger can inject up to four different objects into the workflow, a post, an order, a user or a comment. It’s possible to inject more than one object into the workflow, but only one object of each type.
The object the webhook provides is determined by the parameters passed to the webhook:
The above parameter configuration assumes that the client that calls this webhook provides two parameters;
user_id. The parameters can be passed as REQUEST URL parameters (in the request URL), as x-form-encoded parameters in the REQUEST BODY or as JSON in the request body.
The above URL would trigger the workflow with a webhook trigger id = "abc123abc123" and inject the post with id=999 and user with id=123 into the workflow. The filters and actions in that workflow can then use these two objects for filtering and as parameters.
Objects can be identified based on different properties, this is the
|post||1. ID, 2. Post slug||Note that slug can be unreliable|
|user||1. ID, 2. Email, 3. login name|
|order||1. ID, 2. Order key||Order keys|
The response is sent as JSON or plain text depending on the request Content-type header. In both cases, the following parameters are returned.
|fail||Unkown hook code||404||No webhook trigger found with the unique id passed|
|fail||Objects not found||400||One or more of the required objects was not resolved to a valid WordPress object|
|fail||Authentication failed||401||Authentication failed|
|ok||success||200||The workflow initialized as expected and the actions was executed.|