Implementation Guide

Build and test your webhook endpoint for receiving PartsSource events

This cookbook walks you through building an endpoint to receive, verify, and process webhook events from PartsSource. By the end, you'll have a working receiver ready for production.

Webhook configuration (URL and subscribed events) is set up by the PartsSource implementation and integration team. This guide assumes your webhook has already been configured and you have your signing secret.

Your responsibilities as a webhook consumer:

Accept the incoming POST request
Verify the signature to confirm it came from PartsSource
Acknowledge receipt by returning a 2xx response within 30 seconds
Process the event data

Prerequisites: your webhook signing secret (provided during setup) and a publicly accessible HTTPS endpoint.

Step 1: Build Your Endpoint

Your endpoint must accept POST requests with Content-Type: application/json, return 200 OK (or any 2xx) within 30 seconds, and verify the signature before processing. Handle duplicate deliveries idempotently using the envelope fields.

Node.js (Express)

const express = require('express');
const app = express();

app.post('/webhooks/partssource', express.json(), (req, res) => {
  // 1. Verify signature (see Step 2)
  if (!verifySignature(req)) {
    return res.status(401).send('Invalid signature');
  }

  // 2. Process the event
  const event = req.body;
  console.log(`Received: ${event.event_type}`);

  switch (event.event_type) {
    case 'order.created':
      handleOrderCreated(event.payload);
      break;
    case 'order.shipment.shipped':
      handleShipment(event.payload);
      break;
    case 'order.line.backordered':
      handleBackorder(event.payload);
      break;
    default:
      console.log(`Unhandled event type: ${event.event_type}`);
  }

  // 3. Acknowledge receipt
  res.status(200).send('OK');
});

app.listen(3000);

C# (ASP.NET)

[ApiController]
[Route("webhooks/partssource")]
public class WebhookController : ControllerBase
{
    [HttpPost]
    public async Task<IActionResult> ReceiveWebhook()
    {
        // Read raw body for signature verification
        using var reader = new StreamReader(Request.Body);
        var body = await reader.ReadToEndAsync();

        // 1. Verify signature (see Step 2)
        var signature = Request.Headers["X-PS-Signature"].ToString();
        var timestamp = Request.Headers["X-PS-Timestamp"].ToString();

        if (!WebhookVerifier.Verify(_secret, signature, timestamp, body))
            return Unauthorized();

        // 2. Parse and process event
        var webhookEvent = JsonSerializer.Deserialize<WebhookEventRequest>(body);

        switch (webhookEvent.EventType)
        {
            case "order.created":
                await HandleOrderCreated(webhookEvent.Payload);
                break;
            case "order.shipment.shipped":
                await HandleShipment(webhookEvent.Payload);
                break;
            case "order.line.backordered":
                await HandleBackorder(webhookEvent.Payload);
                break;
        }

        // 3. Acknowledge receipt
        return Ok();
    }
}

Python (Flask)

from flask import Flask, request
import hmac, hashlib, time

app = Flask(__name__)
WEBHOOK_SECRET = "whsec_your_secret_here"

@app.route("/webhooks/partssource", methods=["POST"])
def receive_webhook():
    # 1. Verify signature (see Step 2)
    if not verify_signature(request):
        return "Invalid signature", 401

    # 2. Process the event
    event = request.get_json()
    event_type = event["event_type"]

    if event_type == "order.created":
        handle_order_created(event["payload"])
    elif event_type == "order.shipment.shipped":
        handle_shipment(event["payload"])
    elif event_type == "order.line.backordered":
        handle_backorder(event["payload"])

    # 3. Acknowledge receipt
    return "OK", 200

Step 2: Verify Signatures

Always verify the X-PS-Signature header to confirm the webhook came from PartsSource and wasn't modified in transit.

PartsSource constructs a signed payload as {timestamp}.{request_body}, computes HMAC-SHA256 using your webhook secret, and sends the result as sha256={hex_digest}. To verify:

Extract the X-PS-Signature and X-PS-Timestamp headers
Check that the timestamp is within 5 minutes of current time
Construct the signed payload: {timestamp}.{raw_request_body}
Compute HMAC-SHA256 with your webhook secret
Compare signatures using constant-time comparison

Node.js

const crypto = require('crypto');

function verifySignature(req) {
  const secret = process.env.WEBHOOK_SECRET;
  const signature = req.headers['x-ps-signature'];
  const timestamp = req.headers['x-ps-timestamp'];
  const body = JSON.stringify(req.body);

  // Check timestamp freshness (5 minute tolerance)
  const now = Math.floor(Date.now() / 1000);
  if (Math.abs(now - parseInt(timestamp)) > 300) {
    return false;
  }

  // Compute expected signature
  const signedPayload = `${timestamp}.${body}`;
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(signedPayload)
    .digest('hex');

  // Constant-time comparison
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

C#

using System.Security.Cryptography;
using System.Text;

public static class WebhookVerifier
{
    public static bool Verify(
        string secret,
        string signatureHeader,
        string timestampHeader,
        string body,
        int toleranceSeconds = 300)
    {
        // Check timestamp freshness
        if (!long.TryParse(timestampHeader, out var timestamp))
            return false;

        var now = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
        if (Math.Abs(now - timestamp) > toleranceSeconds)
            return false;

        // Compute expected signature
        var signedPayload = $"{timestamp}.{body}";
        using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
        var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(signedPayload));
        var expected = "sha256=" + Convert.ToHexString(hash).ToLowerInvariant();

        // Constant-time comparison
        return CryptographicOperations.FixedTimeEquals(
            Encoding.UTF8.GetBytes(expected),
            Encoding.UTF8.GetBytes(signatureHeader));
    }
}

Python

import hmac, hashlib, time

def verify_signature(request):
    secret = WEBHOOK_SECRET.encode('utf-8')
    signature = request.headers.get('X-PS-Signature', '')
    timestamp = request.headers.get('X-PS-Timestamp', '')

    # Check timestamp freshness
    try:
        ts = int(timestamp)
    except ValueError:
        return False
    if abs(time.time() - ts) > 300:
        return False

    # Compute expected signature
    signed_payload = f"{timestamp}.{request.get_data(as_text=True)}"
    expected = "sha256=" + hmac.new(
        secret, signed_payload.encode('utf-8'), hashlib.sha256
    ).hexdigest()

    # Constant-time comparison
    return hmac.compare_digest(signature, expected)

Secret Rotation

If your signing secret is rotated, there is a 24-hour grace period where deliveries include both X-PS-Signature (new secret) and X-PS-Signature-Previous (old secret). Accept either signature during this window:

function verifySignatureWithRotation(req) {
  if (verifyWithSecret(req, process.env.WEBHOOK_SECRET)) {
    return true;
  }
  // During rotation grace period, check previous signature
  const prevSignature = req.headers['x-ps-signature-previous'];
  if (prevSignature && process.env.WEBHOOK_SECRET_PREVIOUS) {
    return verifyWithSecret(req, process.env.WEBHOOK_SECRET_PREVIOUS);
  }
  return false;
}

Step 3: Production Best Practices

Process Asynchronously

Acknowledge the webhook immediately with 200 OK, then process the event in a background queue. This keeps your response time fast and avoids timeouts.

app.post('/webhooks/partssource', express.json(), (req, res) => {
  if (!verifySignature(req)) {
    return res.status(401).send('Invalid signature');
  }

  // Enqueue for background processing
  eventQueue.push(req.body);

  // Acknowledge immediately
  res.status(200).send('OK');
});

Deduplicate Events

Webhook delivery uses at-least-once semantics — the same event may be delivered more than once after a retry. Use the envelope fields to detect and skip duplicates:

// Use a persistent store (database, Redis) in production
async function handleWebhook(event) {
  const dedupeKey = `${event.event_type}:${event.reference_id}:${event.occurred_at}`;
  const alreadyProcessed = await db.exists('processed_events', dedupeKey);
  if (alreadyProcessed) {
    return; // Already handled
  }

  await processEvent(event);
  await db.insert('processed_events', { key: dedupeKey, processed_at: new Date() });
}

Store the Raw Payload

Log the full request body before processing. This helps with debugging and allows you to replay events locally if needed.

Handle Unknown Event Types Gracefully

Your endpoint may receive event types you haven't implemented handlers for. Always acknowledge these with 200 OK — returning an error triggers unnecessary retries.

default:
  console.log(`Unhandled event type: ${event.event_type}`);
  // Still return 200 — don't trigger retries for events you don't handle

Testing Checklist

Before going live, verify the following:

Endpoint returns 200 OK for valid requests
Signature verification passes with your stored secret
Signature verification rejects tampered payloads
Stale timestamps (>5 min old) are rejected
Duplicate events are handled idempotently
Unknown event types don't cause errors (log and acknowledge them)
Endpoint responds within 30 seconds

Troubleshooting

Signature verification failing

Use the raw request body (not a re-serialized version) when computing the signature
Confirm you're using the correct secret (the one provided during setup, or the rotated one)
Verify your HMAC is using SHA-256 and outputting lowercase hex
Construct the signed payload as {timestamp}.{body} with a literal dot separator
During secret rotation, check both X-PS-Signature and X-PS-Signature-Previous

Receiving duplicate events

This is expected behavior. Webhook delivery uses at-least-once semantics. Deduplicate using the envelope fields. For production, use a persistent store (database, Redis) rather than an in-memory set.

Not receiving webhooks

Contact your PartsSource integration team to verify:

Your webhook is active
Your subscribed events match what you expect
Your endpoint is publicly accessible over HTTPS

They can also check delivery history and replay failed deliveries on your behalf.

PreviousPayload Objects NextPrice Option ID

Last updated 7 days ago

Good evening

hashtagStep 1: Build Your Endpoint

hashtagNode.js (Express)

hashtagC# (ASP.NET)

hashtagPython (Flask)

hashtagStep 2: Verify Signatures

hashtagNode.js

hashtagC#

hashtagPython

hashtagSecret Rotation

hashtagStep 3: Production Best Practices

hashtagProcess Asynchronously

hashtagDeduplicate Events

hashtagStore the Raw Payload

hashtagHandle Unknown Event Types Gracefully

hashtagTesting Checklist

hashtagTroubleshooting

hashtagSignature verification failing

hashtagReceiving duplicate events

hashtagNot receiving webhooks