Webhooks
Use webhook endpoints to receive automatic updates
Herald uses webhook endpoints to send an automatic updates when there is a status change associated with an object. If you do not see the status change or object you need in the table below, please poll.
You can add any number of subscriptions to a webhook endpoint. Herald also supports multiple webhook endpoints.
Note on wait times:
[.h-code]quote_status_update[.h-code]
the time it takes to generate a quote
varies based on institution (carrier), so don't worry if quotes aren't sent to the webhook endpoint instantly. To give an idea, some institutions can take up to 2 minutes to process a quote
.
[.h-code]data_extraction[.h-code]
Wait time varies by extraction methods used and can range from 5s to 30s depending on type of files used for the extraction.
Set Up
Reach out to a member of the Herald team to set up a webhook endpoint. Reference details are below. All webhook endpoints will use the same secret key (see Security below).
- To get a webhook endpoint, you must provide a webhook URL (or URLs) in the standard format [.h-code]
https://(www.)domain.com/resource[.h-code]
- Each URL may be associated with one or more objects / subscriptions
- You may have 1 or more URLs
- We only support HTTPS URLs
- Then, when a webhook subscription is trigged by a status change, Herald will send a [.h-code]
POST[.h-code]
request containing the quote data to the provided webhook URL. (see below for format)
Request Format
The webhook URL provided to Herald will receive requests in the following format:
Security
In order to ensure that the [.h-code]POST[.h-code] request coming in to the webhook endpoint is from Herald, we have included [.h-code]x-herald-signature[.h-code] as a header in the [.h-code]POST[.h-code] request. The value of this header is a SHA-256 hash of the secret key provided to you concatenated with the stringified version of the request body. This ensures that the secret key is correct as well as ensure the content of the request has not been modified.
To verify this signature, the server consuming the webhook will need to concatenate the secret key with the stringified version of the request body and generate the SHA-256 hash. An authenticated request will meet the requirement that the [.h-code]x-herald-signature[.h-code] and the generated SHA-256 hash are equal.
Below is an example implementation of a simple Express server with a [.h-code]POST[.h-code] endpoint that authenticates the Herald signature header and request:
Retries
Herald will send the webhook event when the quote finishes processing. This initial time will vary based on carrier response times. If there is a non-200 response from the configured webhook endpoint, Herald will retry sending the webhook up to two additional times at intervals spaced a few minutes apart.