Additional providers
The platform mounts provider callbacks in the service that owns the resulting workflow. This page is a source-backed route index, not a provider roadmap.
Current inbound routes
| Provider | Owner | Route | Purpose |
|---|---|---|---|
| Stripe | Portal API | POST /webhooks/stripe | Platform billing and entitlements |
| Stripe | Accounting API | /webhooks/stripe | Connected-account accounting intake |
| Stripe | Commerce API | POST /webhooks/stripe | Storefront checkout completion |
| PayPal | Accounting API | POST /webhooks/paypal | Accounting payment intake |
| Braintree | Accounting API | POST /webhooks/braintree | Accounting payment intake |
| Plaid | Accounting API | POST /webhooks/plaid | Bank-feed updates |
| Avalara | Accounting API | POST /webhooks/avalara/1099 | 1099 and W-9 synchronization callback |
| Shopify | Commerce API | POST /webhooks/shopify | Marketplace order and product events |
| ShipStation | Commerce API | POST /webhooks/shipstation | Shipping events; mounted when its worker is configured |
Production origins are listed in the HTTP route reference. Provider receivers generally require provider-specific signature verification and configuration; the route existing in source does not mean a tenant connection is enabled.
Shopify
Commerce currently exposes:
| Route | Purpose |
|---|---|
GET /shopify/install | Begin Shopify OAuth when the connector is configured |
GET /shopify/callback | Complete Shopify OAuth |
POST /webhooks/shopify | Receive Shopify topics |
The webhook handler validates X-Shopify-Hmac-Sha256 when a shared secret is configured, resolves the Shopify shop to a channel and tenant, records canonical webhook audit data, and handles the implemented order and product topics. Unknown topics are acknowledged without being projected.
Integration guidance
- Use the endpoint belonging to the target pillar; similarly named paths can have different contracts.
- Preserve the raw body for signature verification.
- Configure provider secrets in deployment or the supported connection flow, never in client-side code.
- Expect duplicate delivery and use the provider event ID for idempotency where the receiver contract exposes one.
- Consult the provider-specific handler before assuming acknowledgement, retry, or durability behavior.
Related
Loading index…