REST Hooks

The concept of REST Hooks is something that we have first built for our Zapier-Integration but it can be used by everyone to get information about certain events that happen regarding Wallet passes in Passcreator.

The idea in general is, that a server that should be notified about changes (e.g. a pass was created, a user saves a pass on his Smartphone) must subscribe for these changes using our subscription endpoint.
The subscribing server or service will provide a unique URL that will be used by our server to push information to the subscribing server. If the subscription is successful our server will push data to the URL that has been given on subscription.

If the notifications are no longer needed the subscribing server will call the unsubscribe endpoint to tell us that we should stop pushing information.
A hook can either be tied to a specific template or not which leaves the decision up to you if you want to receive data for passes of only one template or events of all templates in your account.
The major advantage of this concept is that both servers have less work to do if you compare it to the usual polling mechanism and the subscribing server is notified about changes in near-realtime.

Signing of webhook data

Webhooks contain a signature and a string representation of the data that we have sent. You should use this signature to check the authenticity of the data that you receive. You can simply check if the signature and the signed string that are both part of the payload we send to you can be verified. To do that, you can receive the public key by calling the endpoint that returns it. One way to verify the signature is to use openssl_verify (with SHA1 as algorithm).