Mulberry provides the ability for you to specify webhooks in order to be notified of certain events. Just supply a RESTful API endpoint that we can send a POST request to for one of the events below and we'll notify you each time that event occurs.

Verifying Webhook Events

Before you respond to a webhook, you need to verify that the webhook was sent from Mulberry. You can verify the webhook by calculating a digital signature.

Each webhook request includes a base64 encoded X-Signature-SHA256 header. The header value is the HMAC of the raw body of the message calculated using the SHA-256 hash algorithm and the private bearer token.


Private Bearer Token

Your private bearer token should be available via the Mulberry Partner Dashboard. If you do not have access to the partner dashboard please contact our partner success team.


Older support for previous Webhook Auth tokens

If you have already integrated with Mulberry webhooks in the past you may be using the old authentication token method for verifying webhook events are sent from Mulberry. This method is still supported but it's recommended that you update to using the signature header outlined in the above section.

Compute the HMAC digest and compare with the header value

Some code examples can be found here:

Accepting Webhook Events and Retries

Mulberry defines a webhook as successfully delivered if we receive a 2XX status code response within 2 seconds. Otherwise the event is retried up to 10 times for up to 24 hours after the initial delivery attempt.