COPE Webhooks deliver all relevant business events to your system in real time – signed, reliable, and with full developer tooling.
What COPE Webhooks include
HTTPS-only endpoints
HMAC-SHA256 signature with anti-replay protection
CloudEvents 1.0 payload standard
Automatic retries with backoff
90-day event replay
Flow:
COPE → Event → Your endpoint (webhook)
Example: real-time webhook payload
http
POST /your-endpoint HTTP/1.1 Content-Type: application/json Cope-Signature: t=1717499231,v1=a8c7b9... { "specversion": "1.0", "type": "payment.sale.succeeded", "source": "cope-payments", "id": "evt_01HK9YJF...", "time": "2026-06-04T13:42:11Z", "subject": "ord_8s7xV2K", "data": { "order_id": "ord_8s7xV2K", "business_uuid": "biz_a1b2c3", "amount_total": 49700, "currency": "USD" } }Events you can subscribe to
Webhooks (an automatic real-time notification sent from COPE to your system) are configurable per endpoint and per event type – you decide whether to receive everything or only specific events.
Cart Events
cart.created · cart.line.added · cart.line.updated · cart.line.removed · cart.buyer_identity.set · cart.currency.changed · cart.abandoned
Checkout Events
checkout.created · checkout.cancelled · checkout.expired
Order Events
order.created · order.completed · order.failed
Payment Events
payment.sale.succeeded · payment.sale.failed · payment.refund.created · payment.refund.reversed
Disputes & Chargebacks
payment.dispute.opened · payment.dispute.won · payment.dispute.lost · payment.dispute.counter_fee.created · payment.chargeback.created · payment.chargeback.reversed
Payouts
payout.transfer.initiated · payout.transfer.completed
Ticketing
ticketing.event.published · ticketing.check_in.created · ticketing.ticket.issued · ticketing.ticket.voided · ticketing.ticket.reissued
Webhook Lifecycle
webhook.endpoint.created · webhook.endpoint.updated · webhook.endpoint.auto_disabled
Every event itself reveals the use-case possible.
CloudEvents 1.0 – a standard your stack already understands
All webhook payloads follow CloudEvents 1.0 – a consistent, predictable envelope for every event.
Field | Meaning |
| Always |
| Event type (e.g. |
| Originating service |
| Unique event ID |
| Timestamp in RFC3339 format |
| Primary resource (e.g. order ID) |
| Event-specific payload |
Important – idempotency: Webhooks are delivered at-least-once. Events may arrive more than once and order is not guaranteed. Always deduplicate based on source + id.
Security – HMAC-SHA256 with anti-replay
Every webhook is signed so you can verify it genuinely came from COPE.
Cope-Signature: t=timestamp,v1=hmac_signature
The signature is based on timestamp.rawBody (HMAC-SHA256). Events older than 5 minutes are automatically rejected.
Example (Node.js):
js
import crypto from 'crypto'; function verifyCopeWebhook(rawBody, signatureHeader, secret) { const parts = signatureHeader.split(',').reduce((acc, p) => { const [k, v] = p.split('='); acc[k] = v; return acc; }, {}); const timestamp = parseInt(parts.t, 10); const signature = parts.v1; const ageSeconds = Math.floor(Date.now() / 1000) - timestamp; if (ageSeconds > 300) return false; const expected = crypto .createHmac('sha256', secret) .update(`${timestamp}.${rawBody}`) .digest('hex'); return crypto.timingSafeEqual( Buffer.from(expected, 'hex'), Buffer.from(signature, 'hex') ); }Important notes:
Each endpoint (the URL address where COPE sends data to) has its own signing secret
The secret is only shown once at creation
Rotation currently requires creating a new endpoint
Never use the secret in frontend code
Delivery & reliability
Retry schedule:
Attempt | Delay |
1st attempt | 30 seconds |
2nd attempt | 5 minutes |
3rd attempt | 30 minutes |
4th attempt | 2 hours |
5th attempt | 12 hours |
Maximum | 6 attempts |
5xx/ timeout → retry4xx→ no retry (endpoint is rejecting the event)Persistent failures → endpoint auto-disabled
When an endpoint is auto-disabled, a webhook.endpoint.auto_disabled event is sent and you are notified by email.
Delivery guarantee: At-least-once · No guaranteed ordering · Idempotency is your responsibility (source + id)
Developer tools
Test events – trigger synthetic events signed exactly like real ones
Replay – resend individual events or bulk replay from a point in time, up to 90 days of history
Delivery logs – status code, response time, retry count, and timestamp per delivery
Endpoint stats – success rate, p99 latency, event-type filter
Live vs. roadmap
● Live now:
HTTPS-only webhooks · HMAC-SHA256 signing + anti-replay · CloudEvents 1.0 · Retry system with backoff · At-least-once delivery · Event coverage (cart, checkout, orders, payments, refunds, disputes, payouts) · Endpoint management API · Test events · Replay (90 days) · Delivery logs & stats
○ Roadmap:
Secret rotation with grace period · PII redaction per endpoint · Native Zapier / Make / n8n connectors · Exactly-once / ordered delivery

