Skip to content

Outbound Webhooks

Signed Event Notifications

Last updated: July 3, 2026

Webhooks push store events to your own systems in real time — sync orders to an ERP, notify a 3PL, trigger automations, or update a data warehouse. STOAR sends a signed JSON POST to your endpoint whenever a subscribed event occurs.

Creating an Endpoint #

Go to Admin → REST API → Webhooks → Create:

  1. Enter your Payload URL (where STOAR will POST).
  2. Select the topics you want to receive.
  3. Save — STOAR generates a signing secret for the endpoint (shown when you edit it).

Topics #

Topic Fires when
order.paid An order is paid
order.refunded An order is refunded
order.cancelled An order is cancelled
customer.created A customer registers
product.created A product is created
product.updated A product is updated
product.deleted A product is deleted

Payload & Verification #

Each delivery is a JSON POST:

{
  "topic": "order.paid",
  "created_at": "2026-06-13T10:00:00+00:00",
  "data": { "id": 123, "order_number": "ORD-000123", "total_amount": 92.50, "currency": "USD", ... }
}

Headers:

  • X-Stoar-Topic — the event topic
  • X-Stoar-Delivery — the delivery ID
  • X-Stoar-Signaturesha256=<hmac> of the raw body using your endpoint's secret

Verify each request by computing an HMAC-SHA256 of the raw request body with your signing secret and comparing it to the signature header. Reject requests that don't match.

Delivery & Retries #

  • Deliveries are queued and sent in the background.
  • A non-2xx response or timeout is retried with backoff several times.
  • Every attempt (status, HTTP code, error) is recorded in the endpoint's delivery log in the admin, so you can see exactly what was sent and how your endpoint responded.

Notes #

  • Endpoints can be deactivated without deleting them.
  • Make your handler idempotent — use X-Stoar-Delivery to de-duplicate retried deliveries.