Collapse Menu
FastSpring App
Contact Support

Webhooks Overview

Table of Contents:

FastSpring has two types of Webhooks:

  • Server Webhooks: Post JSON data from FastSpring to one or more external URLs or endpoints. Write scripts to parse the data and update your databases or trigger other events based on the contents of the data.
  • Browser scripts: Execute a JavaScript function in the consumer's browser, passing order data in a JSON object. The function is executed upon completion of an order. Design the function to parse the order data and trigger events based on its contents.

You can have multiple Webhook events, and each type can be sent to as many different URLs as you need. Each post from FastSpring to your endpoint may contain more than one Webhook event in its payload.

Design your scripts for parsing server Webhooks to be able to receive duplicate events. For example, if your script receives more than one event with the same event ID, any subsequent identical events should be ignored. 

Your scripts should be able to handle multiple posts with unique event IDs for the same event for the same transaction and update your records with any new info contained in subsequent posts. Automatic retries will have the same event id, but any manual resend of a webhook would have a new event id and should be identified by the object (subscription, order, etc) id.

Webhooks may be delayed during routine batch processes, such as rebills and subscription deactivations. The webhook immediately enters a queue to be completed as soon as possible, however depending on the size of the queue, it may take time to complete.

Set Up Webhooks

  1. In the FastSpring App, select the Integrations > Webhooks. An empty Webhook container (for both live and test events) is created for you.
  2. Click Add Webhook to create additional Webhook configurations.

Create and Edit Webhooks

If you need to send the same webhook event(s) to multiple URLs/endpoints, start by following this procedure to create additional webhook configurations. Then, in the new webhook configurations, click the Add Server Webhook command to add new URLs and select the events for the new configurations.

  1. If you click Add Webhook to create an additional webhook configuration, or if you click Edit in a webhook configuration (next to Add Browser Script), a window similar to the following appears.
  2. The optional Title field is for internal use. It helps you to distinguish (in addition to the URL) between one webhook configuration and another.
  3. By default, the Get webhooks from field is set to send webhook events for both Live and Test Orders. If you only want FastSpring to send events via this webhook configuration for live orders–or only for test orders–click the drop-down and select the desired option.
  4. If you want this webhook to use expanded JSON data, select Enable webhook expansion
  5. Click Add to add a new webhook or Save to save your changes.
If you plan to use the /events endpoint of the FastSpring API to manage your Webhook events, please note that the /events endpoint currently only works with events posted to the first Webhook configuration on this page.

Webhook Expansion

By default, webhook events include only data that is relevant to the current event type. For example, in an order.completed event, the customer's account ID will be included by default, but not the remainder of the account details. The remaining details are available in a separate account.created webhook event.

However, if you select Enable webhook expansion, then the objects listed below are fully expanded. All of each expandable object's data appears in relevant events other than their own event types. To continue the example above, with this option enabled, order.completed includes the customer's complete account object rather than just the account ID. Depending upon your implementation, this may make it unnecessary to subscribe to some webhook events (e.g., account.created), or to make API calls to fill in details of those objects.

Expandable Webhook Event Objects

  • account
  • order
  • product
  • subscription

Server Webhooks

Server-to-server webhook events are delivered as the POST body JSON payload to your specified URL(s). Upon firing, some webhooks also trigger an email message to the customer, depending on the context.

Webhooks may be delayed during routine batch processes, such as rebills and subscription deactivations. The webhook immediately enters a queue to be completed as soon as possible, but depending on the size of the queue it may take some time to complete.
  • account.updated – Fired when a consumer account is updated. Examples include when the consumer information is manually updated within the application, or when an existing consumer places a new order with different personal information.
  • account.created – Fired when a customer account is created (e.g., when a customer whose email address does not match an existing account places a new order). Customer Accounts and Single Sign-On provides detailed information regarding customer accounts.
  • fulfillment.failed – Fired if one or more fulfillments failed during order fulfillment (e.g., due to insufficient remaining licenses in a pre-generated list).
  • mailingListEntry.removed – Fired when an entry is expected to be removed from a mailing list (e.g., due to customer unsubscribing by placing an order with the newsletter checkbox cleared/unselected). 
  • mailingListEntry.updated – Fired upon adding a new mailing list entry (e.g., for a customer who completed an order and selected the checkbox to "subscribe to news and updates").  
  • order.approval.pending – Fired when approval is required before an order can be completed (for example, when invoices are enabled for your Store with the Require Approval method configured, and a buyer places an order using a purchase order).
  • order.canceled – Fired when an order is canceled (e.g., when you cancel a pending approval order via the FastSpring App). 
  • order.payment.pending – Fired when an order has been processed, but payment from the buyer has not yet been completed (for example, when a buyer selects wire transfer as their payment method or buys using a purchase order).
  • order.completed – Fired upon successful order completion after fulfillment actions have been performed. For subscriptions, this event is only fired for the initial purchase transaction. Subsequent subscription billings do not trigger this event; only subscription.charge.completed events will be triggered.
  • order.failed – Fired if an order failed during checkout (e.g., due to a declined payment card)
  • payoutEntry.created – Fired when a payout event has been created (e.g., for an order, split pay rule, or return)
  • return.created – Fired when a refund or a return has been created (e.g., by returning a customer's order via the FastSpring App).
  • subscription.activated – Fired upon creation of a new subscription.
  • subscription.canceled – Fired upon cancellation of the subscription, when the Deactivate At Next Period option has been selected (if canceling via FastSpring App), or the billingPeriod=0 parameter has not been included (if canceling via the /subscriptions endpoint of the FastSpring API).
  • subscription.charge.completed – Fired upon completion of a recurring or managed subscription charge, or a charge resulting from proration following a subscription upgrade or downgrade. This event is not fired for the initial purchase of a subscription. Instead, we send order.completed – which is only fired for new purchases (including the initial purchase of a subscription) – and subscription.activated.
    • For optimized results, we recommend utilizing API calls as the final authority related to the status of a subscription; this is more reliable than implementing webhooks to track events such as subscription renewals.
  • subscription.charge.failed – Fired when a subscription charge or billing has failed (e.g., due to a declined payment card transaction).
  • subscription.deactivated – Fired upon deactivation of the subscription, including deactivation at the end of the billing period following a prior cancellation, or immediately upon cancellation when the subscription is canceled with the Deactivate Now option selected (via the FastSpring App) or the billingPeriod=0 parameter is included (canceling via the /subscriptions endpoint of the FastSpring API).
  • subscription.payment.overdue – Fired upon the overdue interval following the payment failed date.
  • subscription.payment.reminder – Fired upon the reminder interval before the next charge date.
  • subscription.trial.reminder – Fired when an email message is sent to the customer before the first billing, following a free trial period as configured via the Free Trial Days field in the Pricing popup dialog of the FastSpring App, or via the trial field inside the pricing node of a POST to the /products endpoint of the FastSpring API.
  • subscription.uncanceled – Fired when a subscription that had previously been canceled but not yet deactivated is uncanceled
  • subscription.updated – Fired when edits have been made to a subscription instance (e.g., by modifying the product, next payment date, etc. via the FastSpring App or the /subscriptions endpoint of the FastSpring API).

Add a Server Webhook

  1. Navigate to the Integrations > Webhooks. In the webhook you wish to edit, click Add URL Endpoint. The Add Webhook URL popup dialog appears.
  2. In the URL field, enter the external URL or endpoint where you want FastSpring to post the JSON data. We strongly recommend using HTTPS endpoints so that data will be encrypted against interception. 
    • Webhook posts use port 8443 of the targeted endpoint unless otherwise specified. If you need to specify a different port in your URL, please use one of the following ports: 3443, 8282, 9191, 9000, 9999. If you specify any other port in your URL, we may be unable to connect, resulting in a timeout error. 
  3. In the HMAC SHA256 Secret field, you can optionally enter a secret phrase for creating a digest of the payload to provide an additional layer of security. See Message Secret / Security for more details.
  4. In the Events section, select the checkbox for each event that you want FastSpring to post to the URL or endpoint for this webhook configuration.
  5. Scroll down to the bottom of the dialog (if necessary) and click Add.

We recommend using as an easy way to capture Webhooks for initial testing. If you plan to use the /events endpoint of the FastSpring API to manage your Webhook events, please note that the /events endpoint currently only works with events posted to the first or topmost Webhook configuration on this page.

View Recent Server Webhook Activity

The Webhooks tab of the Integrations menu includes a Recent Activity command towards the bottom right-hand corner of the page. This command lets you view all recent server webhook events on demand, right in your browser window.

If you input multiple webhook entries, only events for the first webhook are recorded

Clicking Recent Activity opens a scrollable popup window that shows up to 250 of the most recent events for which you have configured server webhooks. For each event sent to your webhook URL(s), you can see the date, time, and JSON contents of the individual event.

You can click the FILTER drop-down selector and choose whether the listed activity includes Processed events, Unprocessed events, or All (which is the default setting).

If you believe that you may have missed receiving one or more recent webhook events, you can also use the /events/unprocessed endpoint of the FastSpring API to request the contents of any recent server webhooks that were not delivered successfully. The structure of the API response is identical to that of the webhook events. 

    Request Payload

    Your webhooks endpoint should be able to receive 1 or more events. During setup, you define which types of events a given URL receives. FastSpring might send multiple webhook events with unique event IDs in a single, combined payload.

    Common Fields for All Types of Events

    • "id" – Unique ID of the event.
    • "live" – Whether this event is for live data instead of test data.
    • "processed" – Whether this event has been marked processed. For a new event this will always be false.
    • "type" – Identifier for the event that occurred.
    • "created" – Timestamp for when the event was created.
    • "data" – Varies per event "type". To see examples, click the link for each event in the Event Name column of the Server Webhooks table above.

    The following is an example request that your endpoint could receive containing two different event types. You could receive a post with multiple events of the same type as well.

    • {
          "events": [
                  "id": "jazYJQw5RSWVR474tU2Obw",
                  "live": true,
                  "processed": false,
                  "type": "subscription.activated"       
                  "created": 1426560444800,
                  "data": {
                      .... See webhook payload examples for "data" contents ....
                  "id": "VOe5PQx-T4S6t8yS_ziYeA",
                  "live": true,
                  "processed": false,
                  "type": "subscription.deactivated"     
                  "created": 1426560444900,
                  "data": {
                      .... See webhook payload examples for "data" contents ....

    Mark Events as Processed

    The goal of a Webhook is to mark received events as processed. There are two techniques:

    1. Bulk. Return HTTP status code 200 to consider all events received as successfully processed.
    2. Individual. Return HTTP status code 202 to exert more control over what is considered processed. In the response body, emit one event "id" on each new line (separated by character 10). Each event "id" given will be considered successfully processed.

      For example, if you receive a POST containing event IDs 8675309EeIEn, 10001110101, and ONOIML8ICU812, and you only want to mark the first two events as processed, you would return HTTP status code 202 and the body of your response would be as follows:

      • 8675309EeIEn
      • 10001110101

    All other HTTP status codes are considered failures. However, for failures, we recommend returning status codes in the 50X range, depending on the cause of the failure.

    Automatic Retries for Unprocessed Webhook Events

    For each webhook event that is not marked processed (see Marking Events as Processed above), FastSpring will automatically attempt to repost the event every ten minutes, for a period of 24 hours or until the event is marked processed successfully. If the event is not marked processed within 24 hours, FastSpring will discontinue attempts to repost that specific webhook event, but it can still be retrieved via the /events endpoint of the FastSpring API (see Retrieving Missed or Unprocessed Events below).

    When events have failed to process for 24 hours, a red Failed in last 24 hours indicator will appear on the card for the affected webhook configuration in the FastSpring App.

    Optional alert messages can be sent by email to notify you of the issue. If you do not have an alert email address configured, you will see a notice near the top of the Webhooks tab in the FastSpring App. You can configure the email address to which these alerts will be sent by clicking the Specify alert email address link.

    Clicking the link opens the Default Notify Settings page. At the bottom of that page is the Store Notification Addresses section.

    This section has a separate line for each Store in your account. If your account has multiple Stores, you can specify the Default Email and the Alert Email Addresses separately for each one. To configure alert addresses for failed webhook event notifications, enter one or more addresses in the Alert Email Addresses field(s) for the desired Store(s). If you enter more than one address, separate the addresses with commas, as in the example below.


    If an address is specified in the Alert Email Addresses field, alert messages will continue to be sent periodically as long as there are failed event posts within the past 24 hours. Once the underlying issue (e.g., connectivity or timeout problems on your end) has been resolved, messages that have failed within the past 24 hours can be reposted successfully on subsequent automatic retries. At that point, the statuses for those events will changed to processed. When there are no more unprocessed events within the past 24 hours, the Failing indicator will disappear from the webhook configuration card, and no further alert email messages will be sent.

    Retrieve Missed or Unprocessed Events

    In the event that your server does not process one or more events successfully (e.g., if your server is temporarily unavailable at the time an event is posted), you can repost them manually via the order or subscription details page, OR retrieve any and all missed events by making a call to the /events /unprocessed endpoint of the FastSpring API.

    Simply make a GET call to /events/unprocessed endpoint and all subscribed webhook events that have not been marked as processed (see above) will be returned in the API response. The response structure is nearly identical to the structures of the unprocessed webhook events, so you can process the response in the same way you would have processed the corresponding/missed webhook posts.

    After processing any events that had been missed, you should mark those events as processed via a POST to the /events endpoint of the FastSpring API so that they will not be returned the next time you get unprocessed events. For example: POST /events/{id}. For more information, please see /events.

    The response returned from the /events endpoint is limited to 25 unique events. If the "more" attribute is present with a "true" value on the last line of the response, you may need to make multiple requests in order to retrieve all events. You can optionally specify a time frame with your request (e.g. beginning with the time of the last event in the response) if you want to page through all events before marking any of them processed. For more information, please see /events.

    It may be a good idea to set up an automatic, scheduled task that runs daily (or more often) on your servers to call /events/unprocessed and automatically retrieve any webhook events that might have been missed during the interval since the job last ran. After parsing the events, the script should mark them as processed. When retrieving unprocessed events, you can optionally specify a time frame, but that may not be necessary in this context. For more information, please see /events

    Message Secret / Security

    Each webhook can optionally define a secret cryptographic key in the HMAC SHA256 Secret field. FastSpring's server will use that key to generate a hashed digest of each webhook payload. The resulting digest will be encoded to base64 and included in the webhook's X-FS-Signature header. Your server can then use the same process, creating a hashed digest of the payload using the same secret key on your side, and then encoding the resulting hash to base64 before comparing the it to the value in that header.

    A post with a valid, matching digest in the header can only have originated from a source that uses the correct secret key. Therefore, if you have only provided the secret key to FastSpring via the webhook interface in the FastSpring App (i.e., you have not given the key to anyone else or used it anywhere else), this confirms that the webhook data is authentic (and also intact), since nobody else knows your secret key and the key is not (of course) included in the post. You can find more information about hash-based message authentication at

    The X-FS-Signature header we send is case-insensitive, but there have been some reports that it comes through with varying case (all lower case, or mixed case). We recommend that you capture the incoming webhook data–including the header–for verification while adding/registering. The console will log the request and response and you can inspect it in case there are questions about the header contents.

    The following is an example of using the PHP hash_hmac function to create the hashed digest, where $secret is the secret key entered in the HMAC SHA256 Secret field in the FastSpring App:

    Example of using PHP to compute and compare the HMAC hash

    Note: nginx users need to enable underscores in headers to use this.

    • $hash = base64_encode( hash_hmac( 'sha256', file_get_contents('php://input') , $secret, true ) ); if ($hash == $_SERVER['X-Fs-Signature']) { /* Your code here */ }

    Here is an example of computing and comparing the HMAC hash using Node.js:

    Example of using Node.js to compute and compare the HMAC hash

    • const crypto = require('crypto');
       * Validates a FastSpring webhook
       * @param {string} req    Node request object, where 'req.body' is a Node
       *                        Buffer object containing the request body
       * @param {string} secret the secret string saved in the FastSpring App
      const isValidSignature = (req, secret) => {
        const fsSignature = req.headers['X-FS-Signature'];
        const computedSignature = crypto.createHmac('sha256', secret)
        return fsSignature === computedSignature;