Near-realtime integration with Youforce webhooks

Introduction

Webhooks are HTTP callbacks, serving as efficient conduits for automatically transmitting real-time data directly between systems in response to specific triggering events. This mechanism facilitates seamless integration and automation across various services by leveraging event-driven operations. Essentially, when a particular event unfolds within a service, said service dispatches an HTTP POST request to a pre-defined URL, thereby activating the webhook.

The HTTP POST request dispatched encompasses a data payload, intricately detailing the specifics of the event. This payload maintains a structure and content mirroring that of the corresponding domain-specific API, ensuring coherence. Such alignment permits developers to uniformly process information received from both webhooks and APIs, thus streamlining data handling procedures.

In stark contrast to the conventional polling techniques, which necessitate frequent and repetitive status checks on another system —often resulting in significant delays— webhooks stand out by promising more immediate integrations. They efficiently circumvent the latency usually associated with constant polling by delivering prompt updates, typically within a narrow time window of 3 to 5 minutes, albeit not instantaneously. This model not only optimizes data exchange and minimizes waiting times but also significantly enhances the overall efficiency of system integrations.

Youforce webhooks

The Youforce webhooks, like the APIs, are divided into domains. Each domain has its own webhook publisher with events. Applications can subscribe to one or more events in the Visma Developer Portal.

Youforce Publisher-Subscriber model

Webhook Secret

Securing webhooks is crucial for protecting your data flow. A core part of this security involves using webhook secrets. When you set up a webhook subscription, you’re given a unique secret. This secret helps ensure that incoming messages are genuinely from the source they claim to be.

How It Works? > Webhook providers include a signature in each request’s header, generated using the secret and the data payload. The receiving system uses the same secret to verify this signature, confirming the message’s integrity and origin.

Why It Matters? > Using secrets enables a secure, trustworthy exchange of data between systems, guarding against unauthorized access and alteration. It’s an essential step towards robust webhook security. For detailed guidance on implementing this security measure, refer to the section Using a Webhook Secret.

Is firewall security possible? > The Visma Webhook Dispatcher uses the following Public IPs when sending webhooks to registered subscriptions. If needed, these IPs can be configured in a whitelist setup of your infrastructure.

  • 18.202.121.26
  • 34.242.104.102
  • 54.220.26.45

Is secret rotation possible? > Yes, you can manually rotate the secrets for your applications by following these steps in the Visma Developer Portal for your application:

  • deactivate the subscription: this will keep all messages in the subscription queue.
  • generate a new secret and store it in your own secrets store
  • activate the subscription which will start sending the webhooks signed with the new secret.

Example of a message

Example of a message