Overview

Webhooks in Open Loyalty provide a powerful mechanism for real-time, event-driven communication between your Open Loyalty instance and external systems. They act as automated notifications, delivering event data whenever specific actions occur, such as a customer earning points, redeeming a reward, or updating their profile. Depending on your configuration, this data can be sent via an HTTP POST request to a designated endpoint or pushed to a message queue like AWS SQS, allowing your integrated systems to react instantly and manage data flow efficiently.

To ensure the secure implementation of your webhooks, consider the following measures, noting that security mechanisms differ slightly between direct endpoint delivery and SQS delivery:

• Verification Tokens (for direct endpoints): When sending webhooks to a direct HTTP endpoint, utilize a shared secret (often referred to as a verification token or signature) to validate incoming requests. This helps ensure that the requests genuinely originate from your Open Loyalty instance and prevents unauthorized or spoofed calls.

• HTTPS (for direct endpoints): Always implement HTTPS for your webhook endpoints. This encrypts the data in transit, protecting sensitive information from eavesdropping and tampering as it travels from Open Loyalty to your system.

• AWS SQS Security: When sending webhooks to AWS SQS, security is primarily managed through AWS Identity and Access Management (IAM) and SQS queue access policies. Ensure your AWS credentials (Access Key and Secret Key) have the minimum necessary permissions (least privilege) to send messages to the specified queue, and configure your SQS queue policies to restrict access appropriately.

Learn more about