Webhooks
When Gett sends webhook requests to your system (e.g., order placement), every request includes signature headers for verification and follows a retry policy for reliability.
Webhook Events
Gett emits two event types over the order lifecycle. Both are delivered as POST requests to the webhook URL you register during integration setup.
| Event type | When it fires | Timing |
|---|---|---|
order_create | After a successful placeOrder — the Gett order has been accepted | Async — may arrive after the API response returns |
order_update | When the order status changes (e.g., confirmed, shipped, fulfilled, canceled) | Async |
order_create payload
Code
order_update payload
Code
status values: created, manual_review, confirmed, canceled, shipped, fulfilled.
refunds[] shape (present when refunds have been applied):
Code
type is store_credit or original_payment. amount is in minor units (cents for USD — e.g. 1050 = $10.50).
Webhook Signatures
Every webhook request includes two headers for signature verification:
| Header | Value |
|---|---|
Signature | HMAC-SHA256 of the raw request body, hex-encoded |
Timestamp | Unix timestamp (seconds) of when the event was signed |
API-Version | Protocol version, currently 2026-01-30 |
The Signature is HMAC-SHA256 of the raw request body, computed using the webhook secret provided during your integration setup. Compare against the body alone — do not prepend the timestamp. Use the Timestamp header to reject replays: discard any request whose timestamp is more than 300 seconds away from the current time.
Verification Examples
TypeScript / Node.js
Code
Python
Code
Always Verify
Never process a webhook without verifying the signature. Reject requests with missing, invalid, or stale signatures with a 401 response.
Retry Policy
Gett retries failed webhook deliveries with exponential backoff:
| Attempt | Delay |
|---|---|
| 1st retry | 30 seconds |
| 2nd retry | 2 minutes |
| 3rd retry | 10 minutes |
| 4th retry | 1 hour |
| Final retry | 6 hours |
A delivery is considered failed if your endpoint returns a non-2xx status code or doesn't respond within 30 seconds.
Idempotency
Your webhook endpoints must be idempotent. Use the orderId as an idempotency key — if you receive a duplicate request, return 200 OK with the existing result rather than creating a duplicate.
Best Practices
- Return
200 OKas quickly as possible; process work asynchronously - Store the
orderIdbefore returning the response - Log all webhook payloads for debugging
- If you return a non-2xx response, the same webhook will be retried