Skip to main content
This guide walks through the complete process of setting up an RMZ webhook, building a receiver endpoint, verifying signatures, and handling common scenarios.

Prerequisites

  • An RMZ store with an RMZ+ subscription plan
  • A publicly accessible HTTPS endpoint to receive webhooks
  • Basic knowledge of your server framework (Express, Flask, Laravel, etc.)

Step 1: Create a Webhook in the Dashboard

1

Navigate to webhook settings

Go to Dashboard > Settings > Webhooks.
2

Add a new webhook

Click Add Webhook and fill in the configuration:
3

Save and note your secret key

After saving, the webhook’s secret key (28 characters) is shown. Copy and store it securely — you will need it to verify signatures.
4

Enable the webhook

Toggle the webhook to Enabled when you are ready to receive events.

Step 2: Build Your Receiver Endpoint

Your endpoint must accept HTTP POST requests, verify the signature, process the payload, and return a 200 status quickly.
If you are using Laravel, make sure to exclude the webhook route from CSRF verification by adding it to the $except array in App\Http\Middleware\VerifyCsrfToken.

Step 3: Handle Retries and Idempotency

Webhooks may be delivered more than once. Use the X-RMZ-REQUEST-ID header to detect and ignore duplicates:
Store processed request IDs in Redis with a 7-day TTL for automatic cleanup. In a database, use a unique constraint on the request ID column and catch the duplicate key error.

Step 4: Test Your Webhook

Before enabling the webhook for production:
  1. Use a tunneling tool like ngrok to expose your local server:
    Use the generated HTTPS URL as your webhook URL.
  2. Place a test order in your store to trigger the order.created event.
  3. Check the webhook logs in your dashboard to see the delivery status and response from your server.
  4. Verify the payload matches the expected format documented in Payload Format.

Common Patterns

Sending Slack Notifications

Syncing to a Database


Troubleshooting

  • Verify the webhook is enabled in the dashboard
  • Check that your URL is publicly accessible (not localhost)
  • Ensure your endpoint accepts POST requests and returns a 2xx status
  • Check the webhook logs in the dashboard for error details
  • Use the raw request body for verification, not the parsed JSON
  • Ensure you are using the correct secret key for this specific webhook
  • Check for middleware that modifies the request body before your handler
  • This is expected behavior during retries. Implement idempotency using the X-RMZ-REQUEST-ID header.
  • Use the created_at timestamp in the statuses array to determine the correct chronological order.