Outbound webhooks (Early Adopter)

Using Platform Triggers, you can automate tasks to streamline your workflows. When working with POST request trigger types, you can also use outbound webhooks to push payloads to servers that you want automatically updated.

Create a Platform Trigger webhook

  1. Follow the instructions to create a trigger as you normally do using the steps in Add Platform triggers to automate tasks .
  2. Ensure you select HTTP post as your trigger type.
  3. When defining the trigger type properties, select Use webhook delivery .
  4. When you select Use webhook delivery , the Client ID field appears. Add your client ID information. You can obtain a client ID by following the instructions in the REST developer quick start .
  5. Define the remainder of your property details.

If a call is unsuccessful, retries occur until a successful HTTP status code of 200 is received, up to 4 attempts. The following HTTP status codes trigger retries:

  • 408 Request Timeout
  • 429 Too Many Requests
  • 500 Internal Server Error
  • 502 Bad Gateway
  • 503 Service Unavailable
  • 504 Gateway Timeout

If the first call fails, retries occur at the following intervals:

  • First retry after 10 seconds
  • Second retry after 30 seconds
  • Third retry after 90 seconds

Each webhook request includes a unique idempotency key, although retries will contain the same key.

Integrate with Sage Intacct

If you need to integrate a system with Sage Intacct to receive webhook requests, endpoints must:

  • support HTTPS
  • be publicly accessible
  • accept HTTP POST requests
  • respond within the specified timeout periods

In addition, Sage Intacct recommends verifying request JSON web token (JWT) signatures and using HTTPS for transport encryption. The header information from Sage Intacct will contain detail to indicate whether a request is legitimate. Headers must contain:

  • Authorization bearer token
  • X-Trusted-Context with base64 encoded trusted context information, including the client ID. This information gets decoded on the server side.

For example:

Copy
Copied
Authorization: X-TrustedBearer VEFpOXNENDhzU3FjYnAwa3NWb2g2dlRBUW9GRlNUQlk=
X-Trusted-Context: eyJjbGllbnRJZCI6ImQ0ZjJiNmIzMTgxNzRiOWE2MGE3LklOVEFDQ1QuYXBwLnNhZ2UuY29tIiwiZGJJZCI6NjE0MDQsImRiVVJJIjoiZGV2Nzc6OTA4MCIsImNvbm5JZCI6NzM5NDUsInVzZXJJZCI6IkFkbWluIiwidXNlcktleSI6MSwiY29tcGFueUlkIjo0NTIxMTk2OSwibG9jYXRpb25LZXkiOjAsIm1vbmdvU2hhcmQiOiJkZXZfcnMxIiwic2Vzc2lvbktleSI6IlN6a3dwVDl0bS11SVhobWl2a19fM29KSF80bGVHVXM1TUtVOTNGT0xpRjRab3I1UHZ0X3hkUHVJIiwidHJ4TGV2ZWwiOjAsImp3dERhdGEiOm51bGx9

Other suggested practices include implementing a rate-limiting process and logging all webhook requests to assist with troubleshooting.