Webhooks
AuraPOS webhooks let you be notified in real-time of events occurring in your business (new ticket, customer change, etc.) without having to poll the API.
Availability
Accessible from the AuraPOS web backend:
- Included in Group and Restaurant Group editions
- Optional €24/month for Express / Boutique / Studio / Restaurant
How it works
- Create a webhook in Settings → Webhooks (Owner only)
- Provide a public HTTPS URL where AuraPOS will send notifications
- Select events to listen to (multi-select)
- AuraPOS generates a unique HMAC secret (shown once, copy it)
- On each event, AuraPOS sends a HMAC-SHA256 signed POST
- You process the notification server-side (Slack, ERP, etc.)
The 7 available events
| Event | Triggered when |
|---|---|
ticket.created | New non-cancelled ticket validated |
ticket.cancelled | Existing ticket cancelled |
client.created | New customer created |
client.updated | Existing customer modified |
produit.updated | Product created or modified |
promotion.created | New promotion created |
promotion.updated | Existing promotion modified |
Payload format
On each event, AuraPOS sends a JSON POST:
{
"event": "ticket.created",
"delivery_id": "uuid-of-this-delivery",
"created_at": "2026-05-17T14:32:08.123Z",
"payload": {
"numero": 1234,
"total_tvac": 55.39,
"mode_paiement": "Bancontact",
"lignes": [...]
}
}
Sent HTTP headers
POST /your-endpoint HTTP/1.1
Content-Type: application/json
User-Agent: AuraPOS-Webhooks/1.0
X-AuraPOS-Event: ticket.created
X-AuraPOS-Delivery: uuid-of-this-delivery
X-AuraPOS-Signature: sha256=<hex hmac of body>
Signature verification (security)
⚠️ Always verify HMAC signature to ensure the request comes from AuraPOS.
Node.js
import crypto from "node:crypto";
function verifySignature(req, secret) {
const signature = req.headers["x-aurapos-signature"];
if (!signature) return false;
const [algo, hash] = signature.split("=");
if (algo !== "sha256") return false;
const expected = crypto.createHmac("sha256", secret)
.update(req.rawBody).digest("hex");
return crypto.timingSafeEqual(
Buffer.from(hash, "hex"),
Buffer.from(expected, "hex"),
);
}
PHP
function verifySignature($rawBody, $signature, $secret) {
$expected = 'sha256=' . hash_hmac('sha256', $rawBody, $secret);
return hash_equals($expected, $signature);
}
Reliability: automatic exponential retry
- HTTP 2xx → delivered
- Other status or timeout after 10s → failed, retry scheduled
Exponential backoff: 1 min, 5 min, 30 min, 2h, 12h (max 5 attempts). After 5 failures: status abandoned.
Delivery history
In the webhook edit page, you see the 50 latest deliveries: date + event, status, HTTP code, attempts count, first 500 chars of response body.
"Send test" button
Before going to prod: test button Send test (event ping) queues a special event delivered at the next worker tick (max 1 min).
Latency
Worker tick runs every minute. Max latency between event and webhook notification ~ 1 minute.
For desktop tickets: add ~15 min (BackendSync push), so 16 min max between register sale and webhook receipt.
Typical use cases
- Team notification: Webhook → Slack incoming webhook → message in #sales channel
- CRM sync:
client.created→ Mailchimp / Brevo API → add to newsletter list - Make / Zapier workflow: chains 5 actions
- E-commerce catalog push:
produit.updated→ script that pulls/api/v1/produits/{id}→ POST to e-commerce platform - Real-time BI dashboard
Endpoint that goes down
If your endpoint is down for several hours: first attempts fail, retry schedule continues. If you come back before 5th attempt → delivered. Otherwise after 12h abandoned → manually recover events via /api/v1/tickets?debut=....
For critical integrations (accounting): schedule a weekly job that re-pulls tickets to bridge any abandoned.
Secret regeneration
If HMAC secret leaks: from webhook edit → Regenerate secret (old invalidated). Update consumer side immediately.
Deletion
Delete button in danger zone. Deletion is final and immediately stops deliveries.