Skip to main content

Real-Time Webhooks for every event in your Business

COPE Webhooks deliver all relevant business events to your system in real time – signed, reliable, and with full developer tooling.


What COPE Webhooks include

  • HTTPS-only endpoints

  • HMAC-SHA256 signature with anti-replay protection

  • CloudEvents 1.0 payload standard

  • Automatic retries with backoff

  • 90-day event replay

Flow:
COPE → Event → Your endpoint (webhook)

Example: real-time webhook payload

http

POST /your-endpoint HTTP/1.1 Content-Type: application/json Cope-Signature: t=1717499231,v1=a8c7b9...  {   "specversion": "1.0",   "type": "payment.sale.succeeded",   "source": "cope-payments",   "id": "evt_01HK9YJF...",   "time": "2026-06-04T13:42:11Z",   "subject": "ord_8s7xV2K",   "data": {     "order_id": "ord_8s7xV2K",     "business_uuid": "biz_a1b2c3",     "amount_total": 49700,     "currency": "USD"   } }

Events you can subscribe to

Webhooks (an automatic real-time notification sent from COPE to your system) are configurable per endpoint and per event type – you decide whether to receive everything or only specific events.

Cart Events
cart.created · cart.line.added · cart.line.updated · cart.line.removed · cart.buyer_identity.set · cart.currency.changed · cart.abandoned

Checkout Events
checkout.created · checkout.cancelled · checkout.expired

Order Events
order.created · order.completed · order.failed

Payment Events
payment.sale.succeeded · payment.sale.failed · payment.refund.created · payment.refund.reversed

Disputes & Chargebacks
payment.dispute.opened · payment.dispute.won · payment.dispute.lost · payment.dispute.counter_fee.created · payment.chargeback.created · payment.chargeback.reversed

Payouts
payout.transfer.initiated · payout.transfer.completed

Ticketing
ticketing.event.published · ticketing.check_in.created · ticketing.ticket.issued · ticketing.ticket.voided · ticketing.ticket.reissued

Webhook Lifecycle
webhook.endpoint.created · webhook.endpoint.updated · webhook.endpoint.auto_disabled

Every event itself reveals the use-case possible.


CloudEvents 1.0 – a standard your stack already understands

All webhook payloads follow CloudEvents 1.0 – a consistent, predictable envelope for every event.

Field

Meaning

specversion

Always 1.0

type

Event type (e.g. payment.sale.succeeded)

source

Originating service

id

Unique event ID

time

Timestamp in RFC3339 format

subject

Primary resource (e.g. order ID)

data

Event-specific payload

Important – idempotency: Webhooks are delivered at-least-once. Events may arrive more than once and order is not guaranteed. Always deduplicate based on source + id.


Security – HMAC-SHA256 with anti-replay

Every webhook is signed so you can verify it genuinely came from COPE.

Cope-Signature: t=timestamp,v1=hmac_signature

The signature is based on timestamp.rawBody (HMAC-SHA256). Events older than 5 minutes are automatically rejected.

Example (Node.js):

js

import crypto from 'crypto';  function verifyCopeWebhook(rawBody, signatureHeader, secret) {   const parts = signatureHeader.split(',').reduce((acc, p) => {     const [k, v] = p.split('=');     acc[k] = v;     return acc;   }, {});    const timestamp = parseInt(parts.t, 10);   const signature = parts.v1;    const ageSeconds = Math.floor(Date.now() / 1000) - timestamp;   if (ageSeconds > 300) return false;    const expected = crypto     .createHmac('sha256', secret)     .update(`${timestamp}.${rawBody}`)     .digest('hex');    return crypto.timingSafeEqual(     Buffer.from(expected, 'hex'),     Buffer.from(signature, 'hex')   ); }

Important notes:

  • Each endpoint (the URL address where COPE sends data to) has its own signing secret

  • The secret is only shown once at creation

  • Rotation currently requires creating a new endpoint

  • Never use the secret in frontend code


Delivery & reliability

Retry schedule:

Attempt

Delay

1st attempt

30 seconds

2nd attempt

5 minutes

3rd attempt

30 minutes

4th attempt

2 hours

5th attempt

12 hours

Maximum

6 attempts

  • 5xx / timeout → retry

  • 4xx → no retry (endpoint is rejecting the event)

  • Persistent failures → endpoint auto-disabled

When an endpoint is auto-disabled, a webhook.endpoint.auto_disabled event is sent and you are notified by email.

Delivery guarantee: At-least-once · No guaranteed ordering · Idempotency is your responsibility (source + id)


Developer tools

  • Test events – trigger synthetic events signed exactly like real ones

  • Replay – resend individual events or bulk replay from a point in time, up to 90 days of history

  • Delivery logs – status code, response time, retry count, and timestamp per delivery

  • Endpoint stats – success rate, p99 latency, event-type filter


Live vs. roadmap

● Live now:
HTTPS-only webhooks · HMAC-SHA256 signing + anti-replay · CloudEvents 1.0 · Retry system with backoff · At-least-once delivery · Event coverage (cart, checkout, orders, payments, refunds, disputes, payouts) · Endpoint management API · Test events · Replay (90 days) · Delivery logs & stats

○ Roadmap:
Secret rotation with grace period · PII redaction per endpoint · Native Zapier / Make / n8n connectors · Exactly-once / ordered delivery

Did this answer your question?