Webhooks

Receive real-time notifications when data changes. Brutlers sends HTTP POST requests to your registered URL.

Set Up a Webhook

POST

/api/vendor/webhooks

bash

curl -X POST https://brutlers.com/api/vendor/webhooks \
  -H "X-Api-Key: brut_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://meine-app.de/webhooks/brutlers",
    "events": ["order.created", "order.status_changed"]
  }'

Maximum 5 webhooks per vendor

Available Events

Event	Description
order.created	New order created
order.status_changed	Order status changed
inquiry.received	New inquiry received
appointment.confirmed	Appointment confirmed
appointment.cancelled	Appointment cancelled
customer.created	New customer created

Payload Format

Each webhook request contains a JSON body with the event type and associated data.

json

{
  "event": "order.status_changed",
  "data": {
    "id": "clx1234567890abcdef",
    "status": "FITTING_READY",
    "previousStatus": "IN_PRODUCTION",
    "customerId": "clx0987654321fedcba",
    "updatedAt": "2026-04-15T10:00:00.000Z"
  },
  "timestamp": "2026-04-15T10:00:01.234Z"
}

Signature Verification

Each request includes an HMAC-SHA256 signature header. Verify the signature to ensure the request is from Brutlers.

Header

X-Brutlers-Signature

javascript

import { createHmac } from "crypto";

function verifySignature(body, signature, secret) {
  const expected = createHmac("sha256", secret)
    .update(body)
    .digest("hex");
  return signature === expected;
}

// Express/Next.js example
app.post("/webhooks/brutlers", (req, res) => {
  const signature = req.headers["x-brutlers-signature"];
  const body = JSON.stringify(req.body);

  if (!verifySignature(body, signature, process.env.WEBHOOK_SECRET)) {
    return res.status(401).send("Invalid signature");
  }

  const { event, data } = req.body;
  console.log(`Event: ${event}`, data);
  res.status(200).send("OK");
});

Retry Policy

On failure (status ≠ 2xx or timeout), the webhook will be retried up to 3 times:

11st retry: after 1 minute
22nd retry: after 5 minutes
33rd retry: after 30 minutes

Webhook Management

GET

/api/vendor/webhooks

PUT

/api/vendor/webhooks/:id

Update the URL, events, or status of a webhook.

DELETE

/api/vendor/webhooks/:id

Delete a webhook and all associated delivery logs.

Set Up a Webhook

POST

/api/vendor/webhooks

bash

curl -X POST https://brutlers.com/api/vendor/webhooks \
  -H "X-Api-Key: brut_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://meine-app.de/webhooks/brutlers",
    "events": ["order.created", "order.status_changed"]
  }'

Maximum 5 webhooks per vendor

Event

Description

order.created

New order created

order.status_changed

Order status changed

inquiry.received

New inquiry received

appointment.confirmed

Appointment confirmed

appointment.cancelled

Appointment cancelled

customer.created

New customer created

Payload Format

Each webhook request contains a JSON body with the event type and associated data.

json

{
  "event": "order.status_changed",
  "data": {
    "id": "clx1234567890abcdef",
    "status": "FITTING_READY",
    "previousStatus": "IN_PRODUCTION",
    "customerId": "clx0987654321fedcba",
    "updatedAt": "2026-04-15T10:00:00.000Z"
  },
  "timestamp": "2026-04-15T10:00:01.234Z"
}

Signature Verification

Each request includes an HMAC-SHA256 signature header. Verify the signature to ensure the request is from Brutlers.

Header

X-Brutlers-Signature

javascript

import { createHmac } from "crypto";

function verifySignature(body, signature, secret) {
  const expected = createHmac("sha256", secret)
    .update(body)
    .digest("hex");
  return signature === expected;
}

// Express/Next.js example
app.post("/webhooks/brutlers", (req, res) => {
  const signature = req.headers["x-brutlers-signature"];
  const body = JSON.stringify(req.body);

  if (!verifySignature(body, signature, process.env.WEBHOOK_SECRET)) {
    return res.status(401).send("Invalid signature");
  }

  const { event, data } = req.body;
  console.log(`Event: ${event}`, data);
  res.status(200).send("OK");
});