Webhooks
Create, add and update webhook subscriptions
You can use webhook subscriptions to receive notifications about particular events that occur in an account. These event notifications are sent as a HTTP POST to the callback URL that you specify in the subscription.
Subscribing to events
Event types
Webhook subscriptions can be managed using the /webhooks
endpoint. To see a list of available events make a GET request to /webhooks/types
which will return a list of strings representing the events:
The /webhooks
endpoint will also allow you to list, edit and delete any subscriptions that you have created.
Creating a subscription
Requests to event notification URLs will timeout after 10 seconds.
Please ensure that your event notification URL responds in time.
To create a subscription, make a POST request to the /webhooks
endpoint:
- Response *
Effective May 30, 2025
Webhook subscriptions will be automatically removed if:
- The acquired refresh token has expired.
- The user or firm explicitly revokes access to the integration.
Action Required:
- Do not assume Webhook subscriptions persist after a user re-authenticates.
- After obtaining a new access token, check if Webhook subscriptions exist.
- If they do not exist, recreate them; otherwise, no action is needed.
- Check for existing Webhook subscriptions before creating new ones to avoid duplicate notifications and unnecessary load on your systems.
Ensure your integration follows this workflow to maintain Webhook functionality. If you have any questions, please contact support@smokeball.com.au.
Event handling
Notification schema
Webhook notifications contain event-specific data in their payload
field. The structure varies by event type - refer to the relevant API documentation for payload details.
Below is a sample notification for a matter.updated
event:
Identifies the specific account associated with the subscription.
Represents the unique identifier for the subscription.
Indicates the nature of the subscribed event.
Specifies the origin of the event - e.g. Smokeball
, API
This section holds the detailed information pertinent to the event.
Captures the exact moment when the event occurred. This is useful for the subscriber to ensure events are processed in order.
Handling duplicate events
Webhook endpoints may occasionally receive the same event more than once. We advise that you guard against this by making your event processing idempotent.
Order of events
Smokeball does not guarantee delivery of events in the order in which they are generated. It is rare but possible that you may receive a contact.updated
event before a contact.created
event.
Preventing infinite update loops
If you initiate a change to a resource via the API you will more than likely receive one or more webhook events caused by that change. If you are not careful you might find yourself in an update loop like the following scenario:
- A change is made to a resource in your system
- This triggers your code to call the Smokeball API to update the corresponding resource in Smokeball
- You receive a webhook event from Smokeball for the resource you updated
- You update the resource in your system
- This triggers you to call the Smokabll API to update the corresponding resource
- and so onβ¦
To avoid this scenario it is recommended that you set the RequestId
header with all of you API requests. If supplied, this header will always be returned in your API responses as well as all webhook events that were triggered from your original request. This allows you to filter or ignore webhook events that were initiaited by your changes.
Error Handling
Because our API request handling is an eventually consistent operation, we supply a error
webhook event so you can be notified when processing your API request has failed. We provide the name and id of the failed resource and a description of the problem.
A sample of the error
payload is as follows:
Verifying webhooks
If you supplied a key
when you created a subscription, a header called Signature
will be included when Smokeball calls your callback URL. The signature is a HMAC SHA256 hash that was created with the key that you provided. You can perform the same hashing process on your event processing side to verify that the request came from Smokeball.
Computing the HMAC
The Signature
hash is calculated using these three bits of information:
- The
Timestamp
header which is the ticks representation of the UTC datetime (.Net format) the webhook was sent - The
RequestId
header - Your
ClientId
that you use to authenticate with the API
These three parameters need to be concatenated into a single string, seperated by a |
and can then be used to create the hash.
For example:
This produces the hash string feb4b838a272884f6d2c2580b2c7ebb0b2f725b90e8baa6f9b5e1a17a9faec2d
Guarding against replay attacks
A replay attack is when an attacker intercepts a valid payload and its signature, then re-transmits them. To mitigate such attacks Smokeball provides a Timestamp
header which is the ticks representation (.Net format) of when the webhook event was sent. It is also part of the verification signature so an attacker can not change the timestamp without invalidating the signature.
If the signature is valid but the timestamp is too old, you may choose to reject the message.