Skip to content
AM

Additional providers

The platform mounts provider callbacks in the service that owns the resulting workflow. This page is a source-backed route index, not a provider roadmap.

Current inbound routes

ProviderOwnerRoutePurpose
StripePortal APIPOST /webhooks/stripePlatform billing and entitlements
StripeAccounting API/webhooks/stripeConnected-account accounting intake
StripeCommerce APIPOST /webhooks/stripeStorefront checkout completion
PayPalAccounting APIPOST /webhooks/paypalAccounting payment intake
BraintreeAccounting APIPOST /webhooks/braintreeAccounting payment intake
PlaidAccounting APIPOST /webhooks/plaidBank-feed updates
AvalaraAccounting APIPOST /webhooks/avalara/10991099 and W-9 synchronization callback
ShopifyCommerce APIPOST /webhooks/shopifyMarketplace order and product events
ShipStationCommerce APIPOST /webhooks/shipstationShipping events; mounted when its worker is configured

Production origins are listed in the HTTP route reference. Provider receivers generally require provider-specific signature verification and configuration; the route existing in source does not mean a tenant connection is enabled.

Shopify

Commerce currently exposes:

RoutePurpose
GET /shopify/installBegin Shopify OAuth when the connector is configured
GET /shopify/callbackComplete Shopify OAuth
POST /webhooks/shopifyReceive Shopify topics

The webhook handler validates X-Shopify-Hmac-Sha256 when a shared secret is configured, resolves the Shopify shop to a channel and tenant, records canonical webhook audit data, and handles the implemented order and product topics. Unknown topics are acknowledged without being projected.

Integration guidance

  • Use the endpoint belonging to the target pillar; similarly named paths can have different contracts.
  • Preserve the raw body for signature verification.
  • Configure provider secrets in deployment or the supported connection flow, never in client-side code.
  • Expect duplicate delivery and use the provider event ID for idempotency where the receiver contract exposes one.
  • Consult the provider-specific handler before assuming acknowledgement, retry, or durability behavior.