The Real Real

Notification Configuration

Learn how to configure your notification preferences and set up webhooks.

Handling Webhook Notifications

  1. Verify the webhook signature using the shared secret
  2. Process the event based on its type
  3. Return a 200 status code to acknowledge receipt of the webhook
  4. Implement retry logic for failed webhook deliveries

Configuration Options

You can configure your notification preferences through:

  1. The Vendor Portal interface
  2. The PATCH /v1/vendor API endpoint

Request

PATCH
/v1/vendor
{
  "communication_preferences": {
    "webhooks_enabled": true,
    "webhook_url": "https://your-endpoint.com/webhooks"
  }
}

Webhook Setup

If you choose to receive webhooks:

  • Configure your webhook URL through the Vendor Portal or by using the PATCH /v1/vendor endpoint
  • Ensure your endpoint can process HTTP POST requests with JSON payloads
  • Implement proper security measures to validate incoming webhook requests

Security Best Practices

  • Always verify the webhook signature using the shared secret
  • Use HTTPS endpoints for receiving webhooks
  • Implement proper error handling for webhook processing
  • Rotate your webhook signing secret periodically through the Vendor Portal
  • Return 2xx response codes promptly to acknowledge receipt of the webhook

Signature Verification

If you decided to create a signing secret, all webhook requests will be signed by The RealReal and you can verify the validity of each request before processing the data.

  • Each webhook request includes a X-TRR-Signature header with the HMAC-SHA256 signature
  • The signature is generated using your webhook signing secret
  • You can obtain your webhook signing secret from the Vendor Portal

Example Pseudocode for Signature Verification

Signature Verification

import hmac
import hashlib

def verify_webhook_signature(payload, signature, signing_secret):
    computed_signature = hmac.new(
        signing_secret.encode('utf-8'),
        payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(computed_signature, signature)

# Usage
payload = request.body  # The raw request body
signature = request.headers.get('X-TRR-Signature')
is_valid = verify_webhook_signature(payload, signature, 'your_signing_secret')

if is_valid:
    # Process the webhook
else:
    # Reject the webhook