Afosto|Developer Docs
/K

Webhooks#

Webhooks let you receive real-time HTTP notifications when events occur in the Afosto platform — without polling the API.

How it works#

When an event fires, Afosto sends an HTTP POST request to your registered endpoint with a signed JSON payload. Your endpoint must respond with a 2xx status to acknowledge receipt.

Your system
Afosto platform
1
Register endpoint URL
⚡ Event occurs
POST signed payload to your endpoint
X-Afosto-Hmac-Sha256 · Content-Type: application/json
3
4
Verify signature & process event
5
Respond 200 OK
Tip:Respond 200 OK immediately and process the payload in a background job. Slow handlers increase the chance of retries.

Payload structure#

Every webhook delivery shares the same envelope:

NameTypeRequiredDescription
event
String!
RequiredThe event name — e.g. `ORDER_OPENED`, `DELIVERED`. See [Events](/docs/webhooks/events) for the full list.
data
Object
RequiredThe event-specific payload — the full entity object at the time of the event. Shape varies per event type.
entity_id
String!
RequiredThe ID of the entity that triggered this event
entity_type
String!
RequiredThe type of entity — e.g. `order`, `delivery`
message_id
String!
RequiredUnique delivery ID. Use this for idempotency — the same event may be delivered more than once.
triggered_at
Int64
RequiredUnix timestamp in milliseconds when the event was triggered
{
  "event": "ORDER_OPENED",
  "data": { "id": "ord_72fca344-2a6f-4b3e-9c1d-5f8a2e7b0d93", "number": 1042, "progress": "OPEN" },
  "entity_id": "ord_72fca344-2a6f-4b3e-9c1d-5f8a2e7b0d93",
  "entity_type": "order",
  "message_id": "msg_3a1b2c4d-5e6f-7890-abcd-ef1234567890",
  "triggered_at": 1714000000000
}
·
Note:Always use message_id for deduplication. Network retries can result in the same event being delivered more than once.

Request headers#

Every webhook request includes these HTTP headers:

NameTypeRequiredDescription
Content-Type
String
RequiredAlways `application/json`
User-Agent
String
Required`Afosto/1.0 (+https://afosto.com/docs/webhooks)`
X-Afosto-Hmac-Sha256
String
RequiredHMAC-SHA256 hex digest of the raw request body, signed with your endpoint secret. See [Signature Verification](/docs/webhooks/signature-verification).
X-Afosto-Endpoint
String
RequiredUUID of the registered endpoint that received this delivery
X-Afosto-Tenant
String
RequiredYour tenant identifier

Retries#

If your endpoint returns a non-2xx response (or times out), Afosto retries the delivery for up to 24 hours with an increasing backoff interval between attempts.

Endpoint health#

Afosto continuously monitors endpoint health. Endpoints that repeatedly fail are automatically disabled and stop receiving deliveries. Fix the underlying issue and re-enable the endpoint in your settings to resume delivery.

Query Runnerhttps://afosto.app/graphql

No query loaded

Click play on any code block in the docs to load a query here.