Webhooks

Webhooks

Pomoću webhooka primate obavijesti u stvarnom vremenu kada se dogode događaji u vašem radnom prostoru — npr. kada se skenira QR kod.

Izrada webhooka

POST /v1/webhooks

{
  "url": "https://example.com/webhooks/qr3",
  "events": ["qr.scanned", "qr.created"],
  "secret": "my-secret-key-min-16-chars"
}

Caution

Webhook URL-ovi moraju koristiti HTTPS. HTTP URL-ovi bit će odbijeni.

Odgovor

{
  "id": "wh_abc123",
  "url": "https://example.com/webhooks/qr3",
  "events": ["qr.scanned", "qr.created"],
  "is_active": true,
  "secret": "my-secret-key-min-16-chars",
  "secret_hint": "my-s…",
  "created_at": "2026-03-15T10:00:00.000Z"
}

Note

Parametar secret vraća se samo jednom. Čuvajte ga na sigurnom — potreban je za verifikaciju potpisa.

Vrste događaja

Događaj	Opis
*	Svi događaji
qr.created	QR kod je kreiran
qr.updated	QR kod je ažuriran (URL, status, oznake)
qr.deleted	QR kod je obrisan
qr.scanned	QR kod je skeniran
qr.flagged	QR kod je označen kao nesiguran
scan.created	Događaj skeniranja (alias za qr.scanned)
workspace.updated	Radni prostor je ažuriran
webhook.ping	Testni ping (putem /ping krajnje točke)

Format payload-a

Svi webhook payload-i imaju ovaj format:

{
  "id": "evt_abc123xyz",
  "type": "qr.scanned",
  "created": "2026-03-15T10:00:00.000Z",
  "data": {
    "code_id": "qr_abc123",
    "short_code": "r7f3Kx",
    "scan_id": "scn_xyz",
    "country": "AT",
    "device_type": "mobile",
    "os": "iOS"
  }
}

Verifikacija potpisa

qr3.app potpisuje svaki webhook zahtjev pomoću HMAC-SHA256:

X-QR3-Signature: sha256=a1b2c3d4e5f6...

Implementacija verifikacije

Node.js

import crypto from "crypto";

function verifySignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");
  const received = signature.replace("sha256=", "");
  return crypto.timingSafeEqual(
    Buffer.from(expected, "hex"),
    Buffer.from(received, "hex")
  );
}

// In Express:
app.post("/webhooks/qr3", (req, res) => {
  const signature = req.headers["x-qr3-signature"] as string;
  const valid = verifySignature(
    JSON.stringify(req.body),
    signature,
    process.env.QR3_WEBHOOK_SECRET
  );
  if (!valid) return res.status(401).json({ error: "Invalid signature" });

  const event = req.body;
  console.log(event.type, event.data);
  res.json({ received: true });
});

Python

import hmac
import hashlib

def verify_signature(payload: str, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(),
        payload.encode(),
        hashlib.sha256
    ).hexdigest()
    received = signature.removeprefix("sha256=")
    return hmac.compare_digest(expected, received)

Logika ponovnog pokušaja

U slučaju pogrešaka (HTTP >= 300 oder Timeout), qr3.app ponovno pokušava dostavu:

Pokušaj	Odgoda
1	Odmah
2	1 minuta
3	5 minuta

Nakon 10 uzastopnih pogrešaka, webhook se automatski deaktivira.

Zapisi o dostavi

GET /v1/webhooks/:id/deliveries

{
  "data": [
    {
      "id": "whd_abc123",
      "event_type": "qr.scanned",
      "status": "success",
      "status_code": 200,
      "response_time_ms": 145,
      "attempt": 1,
      "created_at": "2026-03-15T10:00:00.000Z"
    }
  ]
}

Testni ping

Odmah testirajte webhook:

POST /v1/webhooks/:id/ping

To šalje webhook.ping događaj na URL vaše krajnje točke.