Hi, just wondering if there is any plan for adding authentication for inbound webhooks? Also is there anywhere I can find a copy of the inbound webhook schema?
Hi Matt,
For the standard ServiceM8 Webhooks API (where ServiceM8 sends POSTs to your callback URL), subscriptions are managed via https://api.servicem8.com/webhook_subscriptions.
On the callback/auth side, the docs describe an initial verification step for public (OAuth 2) apps where ServiceM8 POSTs mode=subscribe and a challenge value, and your endpoint responds with only the challenge value.
For the inbound webhook payload schema, the docs show that after verification ServiceM8 sends an HTTP POST with a JSON body in this shape (high level): object, entry[0].uuid, entry[0].changed_fields, entry[0].time, and resource_url.
Also worth noting: webhook updates only indicate that fields changed (they don’t include the field values), so you’ll typically use the REST API and the provided resource_url to fetch the full record.
If you meant Add-on SDK web service callbacks (web-service hosted add-ons), the inbound request body is a JWT, and the JWT is signed (HMAC-SHA-256) using your Add-on’s App Secret, which lets you validate the request came from ServiceM8.
Docs here:
- Webhooks overview (verification + payload example): Overview
- Web service hosted add-ons (JWT signing): Web Service Hosted Add-ons
Which webhook type are you using: Webhooks API subscriptions, or an Add-on SDK callback URL?
Thanks,
Cody