appsfolder inside the
customfolder of your Shopware dev installation. In there, create another folder for your application and provide a manifest file in it.
shopware-app-signatureheader will be provided, which contains a cryptographic signature of the query string. The secret used to generate this signature is the
app secret, that is unique per app and will be provided by the Shopware Account if you upload your app to the store. This secret won't leave the Shopware Account, so it won't be even leaked to the shops installing your app.
app secretyou need to provide a proof that is signed with the
app secrettoo. The proof consist of the sha256 hmac of the concatenated
shopUrland your app's name.
confirmation_urlof the registration with the following parameters send in the request body:
apiKey: The ApiKey used to authenticate against the Shopware API
secretKey: The SecretKey used to authenticate against the Shopware API
timestamp: The Unix timestamp when the request was created
shopUrl: The URL of the shop
shopId: The unique identifier of the shop
client_secretrespectively when you request an OAuth token from the admin api.
shop-secret, that your app provided in the registration response and the signature can be found in the
shopware-shop-signatureheader. You need to recalculate that signature and check that it matches the provided one, to make sure that the request is really send from shop with that shopId.
delete) and the entity.
<webhooks>element in your manifest file, like this:
product-changedand the url
https://example.com/event/product-changedwhich will be triggered if the event
product.writtenis fired. So every time a product is changed, your custom logic will get executed. Further down you will find a list of the most important events you can hook into.
sourceproperty contains all necessary information about the Shopware instance that send the request:
urlis the url under which your app can reach the Shopware instance and its api
appVersionis the version of the app that is installed
shopIdis the id by which you can identify the Shopware instance
datacontains the name of the event so that a single endpoint can handle several different events, should you desire.
dataalso contains the event data in the
payloadproperty, due to the asynchronous nature of theses webhooks the
entity.writtenevents does not contain complete entities as these might become outdated. Instead the entity in the payload is characterized by its id, stored under
primaryKey, so that the app can fetch additional data through the shops API. This also has the advantage of giving the app explicit control over the associations that get fetched instead of relying on the associations determined by the event. Other events in contrast contain the entity data that defines the event, but keep in mind that event might not contain all associations.
timestampis the time which the webhook was handled. This can be used to prevent replay attacks, as an attacker cannot change the timestamp without making the signature invalid. If the timestamp is too old, your app should reject the request. This property is only available from 184.108.40.206 onwards
shopware-shop-signatureevery request should have a sha256 hmac of the request body, that is signed with the secret your app assigned the shop during the registration. The mechanism to verify the request is exactly the same as the one used for the confirmation request.
api/notificationendpoint with a valid body and the header
Authorizationtoken. Your app can request 10 times before being delayed by the system.
statusproperty, the content of the notification as
messageproperty and you can restrict users who can read the notification by passing
adminOnlyproperty inside the payload. When
adminOnlyis true, only admins can read this notification. If you don't send the
adminOnlyis false, you can pass the
requiredPrivilegesproperty so that users with specific permissions can read the notification. Otherwise, it will be displayed to every user.
status: Notification status, one of
message: The content of the notification
adminOnly: Only admins can read this notification if this value is true
requiredPrivileges: The required privileges that users need to have to read the notification
notification:createpermission to access this api.
app:validatecommand to validate the configuration of your app. It will check for common errors, like:
APP_URLenvironment variable will be set to the correct URL to the shop. Especially it is assumed that the environment variable will be changed, when a shop is migrated to a new domain, or a staging shop is created as a duplicate of a production shop.
bin/console app:url-change:resolvecommand, or with a modal that pops up when the administration is opened.