Webhook

Real-time notifications for collection request events

Webhooks allow your system to receive real-time notifications when a collection request changes state.

When the event occurs, qid sends a POST request to the configured webhook URL. Your server should receive the notification and then optionally call the API to fetch the latest data.

Webhook request

MethodPOST
Content-Typeapplication/json

Headers

HeaderDescription
X-QID-SignatureHMAC SHA256 signature of the webhook payload
X-QID-TimestampTimestamp used when generating the signature
X-QID-EventType of event that triggered the webhook
X-QID-Delivery-IdUnique ID for this webhook delivery
User-Agentqid-webhooks/1.0

Payload

{
  "event": "collection_request.updated",
  "requestId": "65fa92f3a8b2a4a1f2e9c0a1",
  "shareStatus": "open",
  "webhookIdentifier": "hotel_checkin_123",
  "timestamp": "1710000000000"
}

Fields

FieldDescription
eventEvent type
requestIdUnique ID of the collection request
shareStatusCurrent status of the share
webhookIdentifierCustom identifier provided when creating the request
timestampTime when the webhook was generated

Signature verification

To ensure the webhook request originated from qid, verify the signature using the webhook secret.

Signature is generated as:

HMAC_SHA256(secret, timestamp + "." + body)

Example verification logic:

const crypto = require('crypto');

const body = JSON.stringify(payload);
const signedPayload = timestamp + '.' + body;
const expectedSignature = crypto
  .createHmac('sha256', webhookSecret)
  .update(signedPayload)
  .digest('hex');

if (expectedSignature === receivedSignature) {
  // webhook is valid
}

Recommended processing flow

  1. Receive webhook request.
  2. Verify X-QID-Signature.
  3. Read the requestId.
  4. Optionally call the API to read the collection request.

Delivery behavior

  • Webhooks are sent via HTTP POST
  • Delivery timeout: 5 seconds
  • Redirects are not followed
  • Each webhook includes a unique X-QID-Delivery-Id

Example request

curl --request POST 'https://your-server.com/webhooks/qid' \
  --header 'Content-Type: application/json' \
  --header 'X-QID-Event: collection_request.updated' \
  --header 'X-QID-Timestamp: 1710000000000' \
  --header 'X-QID-Signature: 9a83f8a2c3...' \
  --header 'X-QID-Delivery-Id: 3f2b6c1d...' \
  --header 'User-Agent: qid-webhooks/1.0' \
  --data '{
    "event": "collection_request.updated",
    "requestId": "65fa92f3a8b2a4a1f2e9c0a1",
    "shareStatus": "completed",
    "webhookIdentifier": "hotel_checkin_123",
    "timestamp": "1710000000000"
  }'

Did this page help you?