Webhooks¶
Dxtra receives webhook events from third-party platforms to track data processing activities, manage consent, and automate privacy compliance. When events occur in your connected platforms (e.g., a new customer in Stripe, an order in Shopify), those platforms send webhook notifications to Dxtra.
graph LR
subgraph "Your Platforms"
Stripe[Stripe]
Shopify[Shopify]
Mailchimp[Mailchimp]
Others[Other Platforms]
end
subgraph "Dxtra"
Conduit[Webhook Receiver]
Validation[Signature Validation]
Processing[Privacy Processing]
DB[(Database)]
end
Stripe -->|Customer events| Conduit
Shopify -->|Order events| Conduit
Mailchimp -->|Subscriber events| Conduit
Others -->|Events| Conduit
Conduit --> Validation
Validation --> Processing
Processing --> DBInbound Only
Dxtra receives webhooks from third-party platforms. There is no outbound webhook system that sends events to your application endpoints. To read data from Dxtra, use the GraphQL API.
Webhook Endpoints¶
Integration webhooks use one of two URL patterns depending on the integration:
Legacy DID + DX Key integrations:
https://conduit.dxtra.ai/api/v1/integrations/{service}/event?did={YOUR_DID}&dxKey={YOUR_DX_KEY}
JWE token integrations (auto-configured during setup):
You configure this URL in your third-party platform's webhook settings. When events occur, the platform sends HTTP POST requests to this endpoint.
Supported Integrations¶
| Integration | Endpoint Path | Authentication |
|---|---|---|
| Shopify | /integrations/shopify/event | JWE token (auto-configured) |
| Stripe | /integrations/stripe/event | JWE token (auto-configured) |
| WooCommerce | /integrations/woocommerce/event | DID + DX Key |
| Mailchimp | /integrations/mailchimp/event | JWE token (auto-configured) |
| Mailchimp Marketing | /integrations/mailchimp-marketing/event | JWE token (auto-configured) |
| Customer.io | /integrations/customer-io/event | JWE token (auto-configured) |
| Klaviyo | /integrations/klaviyo/event | JWE token (auto-configured) |
| QuickBooks | /integrations/quickbooks/event | Intuit signature (HMAC) |
| Eventbrite | /integrations/eventbrite/event | DID + DX Key (encrypted) |
| SurveyMonkey | /integrations/survey-monkey/event | JWE token (auto-configured) |
| HubSpot | /integrations/hubspot/event | DID + DX Key |
| Salesforce | /integrations/salesforce/event | DID + DX Key |
| Xero | /integrations/xero/event | JWE token (auto-configured) |
| NetSuite | /integrations/netsuite/webhook/event | JWE token + HMAC-SHA256 signature |
| Google Drive | /integrations/google-drive/event | encrypted DID+DX Key |
| Sabre/SynXis | /integrations/sabre/poll | Polling (auto-configured) |
| Custom | /integrations/custom/event | DID + DX Key |
The full base URL for all endpoints is https://conduit.dxtra.ai/api/v1.
Customer Data Redaction Endpoints¶
Some integrations provide compliance endpoints for processing data subject erasure requests:
| Integration | Redaction Endpoint |
|---|---|
| Stripe | /integrations/stripe/customer-redact |
| Mailchimp | /integrations/mailchimp/customer-redact |
| Mailchimp Marketing | /integrations/mailchimp-marketing/customer-redact |
| WooCommerce | /integrations/woocommerce/customer-redact |
| Salesforce | /integrations/salesforce/customer-redact |
| Xero | /integrations/xero/customer-redact |
Authentication¶
Webhooks are authenticated using one of these methods depending on the integration:
DID + DX Key¶
Most integrations authenticate via DID and DX Key as URL query parameters (?did={YOUR_DID}&dxKey={YOUR_DX_KEY}). Both parameters are validated on every incoming webhook request. Find your DID and DX Key in the dashboard under Developers.
Available Events¶
Event notifications are triggered by database changes. See the Events Reference for a complete list of available events.
Security Considerations¶
For Integration Webhooks¶
- DID and DX Key: Required query parameters authenticate the webhook source
- Signature Verification: Each integration uses service-specific signature verification (e.g., Shopify HMAC, Stripe signatures)
- Rate Limiting: Automatic protection against webhook abuse (1000 requests per 15 minutes)
- IP Allowlisting: Consider restricting webhook endpoints to known service IPs
- Input Validation: All webhook payloads validated with Zod schemas before processing
- Error Handling: Secure error responses that don't expose internal system information
For Event Notifications¶
- Internal Only: Hasura event triggers are internal to the Dxtra platform
- Authentication: Event processing happens within the secured internal network
- Audit Logging: All events are logged for compliance and debugging
Example Payload¶
Here is an example of the JSON payload that we would send for a data_subject_request.created event:
{
"event": "data_subject_request.created",
"data": {
"id": "e5f6a7b8-c9d0-1234-5678-901234567890",
"type": "access",
"status": "pending",
"data_subject_id": "f8e7d6c5-b4a3-2109-8765-432109876543"
}
}
You find your DID and DX Key in the dashboard under Developers. These parameters are validated on every incoming webhook request.
JWE Token¶
Newer integrations (such as Shopify) use an encrypted JWE token:
The token is generated automatically during integration setup and contains your DID and DX Key in encrypted form.
Platform Signature Verification¶
In addition to DID/DX Key authentication, Dxtra verifies the cryptographic signature of each webhook payload to confirm it was sent by the expected platform:
| Platform | Verification Method |
|---|---|
| Shopify | HMAC-SHA256 |
| Stripe | Stripe SDK signature verification |
| WooCommerce | HMAC-SHA256 |
| Klaviyo | No signature verification (TODO) |
| Customer.io | No signature verification (relies on JWE token auth) |
| HubSpot | HubSpot signature verification |
| NetSuite | HMAC-SHA256 |
Payload Validation¶
All incoming webhook payloads are validated against a schema before processing. Invalid payloads are rejected with an error response.
What Happens When a Webhook Arrives¶
- Authentication -- DID/DX Key or JWE token is validated
- Signature verification -- Platform-specific cryptographic verification
- Payload validation -- Schema validation of the request body
- Data controller resolution -- Identifies your organization from the credentials
- Event extraction -- Parses the platform-specific event data
- PII extraction -- Identifies personal data fields in the payload
- Privacy-preserving processing -- Hashes identifiers for privacy compliance
- Record creation -- Creates processing activity records and updates data subject profiles
Setting Up Webhooks¶
Each integration has its own setup process. See the specific integration guide for step-by-step instructions:
For the full list of integrations, see Integrations Overview.
Error Handling¶
| HTTP Status | Meaning |
|---|---|
200 | Webhook processed successfully |
400 | Invalid payload or missing required fields |
401 | Invalid DID, DX Key, or signature |
404 | Unknown integration or endpoint |
429 | Rate limit exceeded (1,000 requests per 15 minutes per IP) |
500 | Internal processing error (will be retried by the platform) |
Most platforms automatically retry failed webhooks. Configure your platform's retry settings to allow for transient errors.
Related Pages¶
- Integrations Overview -- All supported platforms
- Actions Reference -- GraphQL mutations and queries
- Events Reference -- Internal event triggers
- Rate Limits -- Request throttling details