Cartfunnel can send a secure webhook to a custom endpoint whenever an order is processed (ie. authorized and captured) or when a cart is abandoned.
What is a webhook? A webhook is an HTTP request sent by Cartfunnel to another server. This is used for connecting two separate services (in this case, Cartfunnel and another third party service).
Examples of uses for this would be:
- Notifying customer support of new orders
- Updating external services (eg. Zapier)
About Cartfunnel’s webhooks
Cartfunnel’s webhooks sends order information in its webhooks in the industry standard JSON format. Most services (eg. Zapier) are able to parse this information, allowing you to create complicated workflows from within Cartfunnel to other services you use in your business.
Webhooks can be sent after the following events:
- Authorization and capture of order payment
- Abandoned cart
Requests are made with either a POST or a PUT request (which you can specify).
For security purposes, all webhooks are signed with a special header called X-Cartfunnel-Hmac-SHA256. We use a shared secret to digitally sign the webhook request so you can compare the value (using the shared secret) that you generate on your server.
Creating and modifying webhooks
To create a new webhook, click on Integrations and setup under Webhooks.

On the next screen, click Add webhook. You will see a form that lets you configure your webhook endpoint:

Once you set up a webhook, you’ll be able to modify the JSON payload that Cartfunnel sends to the target endpoint:

It is recommended you only send the information that you require at the target service in order to minimize the amount of data that is sent to third party services.
Sending a test request
You can test your endpoint by clicking on Send test request at the very top of the webhook details page:

Cartfunnel will attempt to contact the third party service (via webhook). You can inspect the request at the third party service.
Verifying your webhooks
It is recommended that you verify the requests coming from Cartfunnel to ensure that no malicious actors are using your API endpoints maliciously.
Webhooks are sent with a special header called X-Cartfunnel-Hmac-SHA256 which contains a signature. Generate, using the shared secret (available by going to the Webhooks section from the dashboard) and generating a Base64-encoded header with the HTTP request body.
Here’s an example code in Ruby of how to generate this value and compare them: