Webhooks enable Help Scout to call a script on your server when one or more events have happened. Webhooks can be thought of as event listeners or push notifications.
Configuring webhooks can be done through the Help Scout user interface. Simply login, click on Apps in the top header bar, then select the Webhooks app.
Each request body uses the object format linked in the table below.
|Type||Event Name||Request Header||Request Body|
|Status Updated||convo.status||Conversation object|
|Tags Updated||convo.tags||Conversation object|
|Customer Reply||convo.customer.reply.created||Conversation object|
|Agent Reply||convo.agent.reply.created||Conversation object|
|Note Created||convo.note.created||Conversation object|
|Customer||Customer Created||customer.created||Customer object|
|Ratings||Rating Received||satisfaction.ratings||Rating object|
Each webhook includes two headers:
- X-HelpScout-Event: Lists the event name for which this webhook event is being generated
- X-HelpScout-Signature: The computed signature generated by Help Scout. Used to know if the request is valid or not.
Webhooks can be verified as coming from Help Scout by calculating a digital signature. Each webhook request contains an X-HelpScout-Signature header, which is generated using the given secret key, along with the json encoded payload data sent in the request.
To verify if the request came from Help Scout, compute the HMAC hash and compare it to the header value sent in the request. If the computed signatures match, you can be sure the request was sent from Help Scout.
When using the Help Scout PHP library, this validation is automatically handled for you.
Thanks to our friends at Parse.com for the Ruby example below.
Thanks to Leo Arnold at Givve for sending us a nice Gist with a Ruby vulnerability fix.
And an updated ruby example using openssl (instead of hmac-sha1):
Thanks to one of our Help Scout customers for the following Node.js example.
Anything returned in the body of the response will be discarded. In order to know the webhook was successful, an HTTP status code of
200 must be returned.
A status code of
410 will cause the webhook to get deactivated/deleted.
Any status code other than
410 is a failure of some kind. A failed event is retried up to 10 times (with an increasing timeout period in between each retry). If the event fails all 10 retries, it is discarded.
Webhooks are automatically deactivated if three or more events get discarded.
Note: The Agent Reply event will only return data for User-generated threads. Auto Reply messages are not included in this event.