Real-time Notifications

Webhooks

Receive real-time notifications for all events on your account. Invoices, signatures, balance alerts — stay informed instantly.

Get Started Signature Verification

Quick Start

Configure webhooks in your dashboard or via the API to start receiving real-time notifications.

Configure Webhook URL

Add your callback URL in the dashboard under Settings > Webhooks. The URL must use HTTPS and resolve to a publicly routable IP (RFC1918, loopback, link-local and CGNAT addresses are rejected at save time).

Get Your Secret

On creation (or regeneration), Scell.io shows your webhook secret (whsec_xxx...) ONCE. Store it immediately in a secret manager — subsequent GETs only return a fingerprint (last 4 characters) for identification.

Verify Signatures

Always verify the X-Scell-Signature header before processing events. This ensures authenticity.

Security Best Practice: Never expose your webhook secret in client-side code. Always verify signatures on your backend server.

Signature Verification

Always verify webhook signatures to ensure requests originate from Scell.io. The signature is included in the X-Scell-Signature header.

Important: The signature format is t=timestamp,v1=signature. Always use timing-safe comparison functions to prevent timing attacks.

WebhookController.php

php

1<?php
2
3namespace App\Http\Controllers;
4
5use Illuminate\Http\Request;
6use Illuminate\Http\Response;
7
8class WebhookController extends Controller
9{
10    private string $webhookSecret;
11
12    public function __construct()
13    {
14        $this->webhookSecret = config('services.scell.webhook_secret');
15    }
16
17    public function handle(Request $request): Response
18    {
19        // 1. Get signature header
20        $signatureHeader = $request->header('X-Scell-Signature');
21
22        if (!$signatureHeader) {
23            return response('Missing signature header', 400);
24        }
25
26        // 2. Parse timestamp and signature
27        $elements = $this->parseSignatureHeader($signatureHeader);
28        $timestamp = $elements['timestamp'];
29        $signature = $elements['signature'];
30
31        // 3. Verify timestamp (replay attack protection)
32        if (abs(time() - $timestamp) > 300) {
33            return response('Timestamp expired', 403);
34        }
35
36        // 4. Verify signature
37        $payload = $request->getContent();
38        $expectedSignature = $this->computeSignature($timestamp, $payload);
39
40        if (!hash_equals($expectedSignature, $signature)) {
41            return response('Invalid signature', 403);
42        }
43
44        // 5. Process event
45        $event = $request->input('event');
46        $data = $request->input('data');
47
48        $this->processEvent($event, $data);
49
50        return response('OK', 200);
51    }
52
53    private function parseSignatureHeader(string $header): array
54    {
55        $parts = explode(',', $header);
56        $elements = [];
57
58        foreach ($parts as $part) {
59            [$key, $value] = explode('=', $part, 2);
60            $elements[$key] = $value;
61        }
62
63        return [
64            'timestamp' => (int) $elements['t'],
65            'signature' => $elements['v1'],
66        ];
67    }
68
69    private function computeSignature(int $timestamp, string $payload): string
70    {
71        $signedPayload = "{$timestamp}.{$payload}";
72        return hash_hmac('sha256', $signedPayload, $this->webhookSecret);
73    }
74
75    private function processEvent(string $event, array $data): void
76    {
77        match ($event) {
78            'invoice.validated' => $this->handleInvoiceValidated($data),
79            'signature.completed' => $this->handleSignatureCompleted($data),
80            'balance.low' => $this->handleBalanceLow($data),
81            default => null,
82        };
83    }
84}

Events Reference

Subscribe to the events you need. Each event includes relevant data in the payload.

Invoice Events

Event	Description
`invoice.created`	Invoice has been created
`invoice.validated`	Invoice validated (Factur-X/UBL generated)
`invoice.transmitted`	Invoice transmitted to the PDP (SUPER PDP / electronic network)
`invoice.accepted`	Invoice accepted by recipient
`invoice.rejected`	Invoice rejected
`invoice.error`	Error during invoice processing or transmission

Incoming Invoice Events

Event	Description
`invoice.incoming.received`	An incoming invoice addressed to your account was received via SUPER PDP
`invoice.incoming.validated`	The incoming invoice passed EN16931 validation
`invoice.incoming.accepted`	The incoming invoice was accepted
`invoice.incoming.rejected`	The incoming invoice was rejected
`invoice.incoming.disputed`	The incoming invoice was disputed
`invoice.incoming.paid`	The incoming invoice was marked as paid

Signature Events

Event	Description
`signature.created`	Signature request created
`signature.waiting`	Waiting for a signer action
`signature.signed`	Document signed by a signer
`signature.completed`	All signers have signed
`signature.refused`	Signature refused by a signer
`signature.expired`	Signature request expired
`signature.error`	Error during the signature process

Onboarding Events

Event	Description
`onboarding.started`	A sub-tenant onboarding flow has started
`onboarding.step_completed`	An onboarding step was completed
`onboarding.completed`	The sub-tenant is created and operational (onboarding_status in the payload)
`onboarding.failed`	Onboarding failed (SUPER PDP KYB rejected, popup closed, etc.)

Account Events

Event	Description
`balance.low`	Credit balance is low (alert threshold)
`balance.critical`	Credit balance is critically low

Event Payload

All webhooks are sent as POST requests with a JSON body. Here is an example payload:

invoice.validated payload

json

1{
2  "event": "invoice.validated",
3  "webhook_id": "550e8400-e29b-41d4-a716-446655440000",
4  "timestamp": "2026-05-10T10:30:00+00:00",
5  "company_id": "123e4567-e89b-12d3-a456-426614174000",
6  "data": {
7    "invoice": {
8      "id": "inv_01975f80c4ee7800",
9      "invoice_number": "T0001-202605-00042",
10      "status": "validated",
11      "total_amount": 1200.00,
12      "currency": "EUR",
13      "customer": {
14        "name": "Client SARL",
15        "siret": "12345678900012"
16      },
17      "created_at": "2026-05-10T09:00:00+00:00",
18      "validated_at": "2026-05-10T10:30:00+00:00"
19    }
20  }
21}

Common Fields

Field	Type	Description
`event`	string	Event type (e.g., invoice.validated)
`webhook_id`	uuid	Unique webhook configuration ID
`timestamp`	ISO 8601	Event timestamp
`company_id`	uuid	Company ID associated with the event
`data`	object	Event-specific data

Best Practices

Follow these guidelines to ensure reliable webhook processing.

Store the Secret Immediately

Since the 2026-05-26 security audit, the webhook secret is exposed in clear text ONLY ONCE (at creation or regeneration). Copy it immediately to your secret manager — subsequent GET requests only return a fingerprint (secret_last4).

Always Verify Signatures

Never process a webhook without verifying its signature first. This prevents spoofed requests.

Respond Quickly

Return a 200 status code within 5 seconds. Process heavy logic asynchronously using a queue.

Implement Idempotence

Use webhook_id and timestamp to detect duplicates. Webhooks may be retried on failure.

Handle Retries

Scell.io retries failed webhooks with exponential backoff. Design your handler to be resilient.

Retry Policy

Scell.io automatically retries failed webhook deliveries with exponential backoff.

Attempt	Delay	Total Time
1st retry	1 minute	1 min
2nd retry	5 minutes	6 min
3rd retry	30 minutes	36 min

Success Codes: Any 2xx response is considered successful. The webhook is marked as delivered.

Failure Handling: After 3 consecutive failures, the webhook endpoint is automatically disabled. Re-enable it from your dashboard.

Timeout: Requests timeout after 30 seconds. Respond quickly and process asynchronously.

Ready to integrate webhooks?

Create your account and configure webhooks in minutes.

Get API Keys Contact Sales