Site Logo

🎉 ShipEngine is becoming ShipStation API 🎉

Over the next few months you'll notice the ShipEngine website, documentation portal, and dashboard being rebranded as ShipStation API. For our ShipEngine customers, you don't need to take any action or change any of your integrations in any way. All endpoints will remain the same and continue to function as they always have.

To learn more about what's coming, review our New ShipStation API page.

Setting Up Webhooks

ShipStation API allows you to subscribe to webhooks to receive real-time updates for long-running asynchronous operations. This allows your application to move on to other work while the operation is running rather than being blocked until it completes.

It also allows ShipStation API to push updates to your application rather than having your application continually poll for updates. For example, you may subscribe to the track webhook event to automatically receive an update anytime a tracking event occurs. Rather than continually sending a request to the /v1/labels/:label_id/track endpoint to see if the tracking information has been updated since the last time you checked, you can subscribe to the track webhook event and ShipStation API will push the notification to your application via a webhook whenever the tracking details are updated.

Configuring Webhooks

Before you can begin receiving webhooks, you must configure your ShipStation API account with the HTTP endpoints you'd like for the webhooks to be sent to. You can do this through the ShipStation API Dashboard or through the API.

Requirements

You must be in the Production environment of the ShipStation API dashboard to set up webhooks.

Configure Using the Dashboard

  1. Log in to your account Dashboard.
  2. Go to Developer, then Webhooks.
  3. Click the Add New Webhook button.
  4. Select your Webhook Event and enter your Webhook URL. You can set up multiple URLs for the same Event.
  5. Click the green checkmark icon to save your webhook.
Dashboard webhooks settings

Configure Using the API

To configure a webhook using the API, you'll need to provide a url and an event that will trigger the webhook. You'll send this data using the POST method to /v1/environments/webhooks. You may only configure one URL per event.

The payload for each type of webhook event will have a unique resource_type which indicates which type of event triggered the webhook.

You can use the following event names and corresponding resource types in your payload when you configure a webhook through the API:

DescriptionEventResource Type
Batch completedbatchAPI_BATCH
Shipment rate updatedrateAPI_RATE
Any tracking eventtrackAPI_TRACK
Carrier connectedcarrier_connectedAPI_CARRIER_CONNECTED
Sales Orders imported (Beta)sales_orders_importedAPI_SALES_ORDERS_IMPORTED
Order Source refresh complete (Beta)order_source_refresh_completeAPI_ORDER_SOURCE_REFRESH_COMPLETE
A requested report is readyreport_completeAPI_REPORT_COMPLETE

Example Request

This example uses a batch event.

POST /v1/environment/webhooks

1
2
3
4
5
6
7
8
9
POST /v1/environment/webhooks HTTP/1.1
Host: api.shipengine.com
API-Key: __YOUR_API_KEY_HERE__
Content-Type: application/json
{
    "url": "https://example.com/batch",
    "event": "batch"
}

Testing Webhooks

You can use a service like Webhook.site to create temporary URLs to receive webhooks. It will allow you to observe any HTTP requests the temporary URL receives. This will allow you to see the exact payload and headers sent from our system, before your application is ready to accept it. Make sure to unregister the webhook after your testing is complete.

Validating Webhooks

ShipStation includes a digital signature (RSA-SHA256) in all outgoing webhooks. This allows you to ensure requests received at your webhook URL were sent from our systems.

We have a full code example that demonstrates the steps.

Step 1: Extract the Signature Headers

Extract the three signature headers from the incoming webhook request:

  • x-shipengine-rsa-sha256-key-id
  • x-shipengine-rsa-sha256-signature
  • x-shipengine-timestamp

If these headers are not present, you should respond with an HTTP status 404 and stop processing the request. This can help hide the existence of your webhook endpoint from anyone attempting to impersonate our service.

Step 2: Validate the Timestamp

Verify that the timestamp in the x-shipengine-timestamp header is recent, in order to prevent replay attacks. Use your judgement on the age of webhooks you are willing to accept. Note that because of different server time skews, you may receive webhooks with timestamps in the future, so your code should account for that. If the timestamp header is more than 5 minutes difference from the current time, you may want to respond with an HTTP status 400 and stop processing the request. If you encounter a lot of these rejections, you may want to double-check your server clocks, or increase the time range.

Step 3: Get the Raw Request Body

Important: You must use the raw, unparsed request body exactly as received. Do not parse the JSON first and then re-serialize it, as this may change whitespace, property ordering, or encoding, which will cause signature verification to fail. Ensure your web server framework provides access to the unparsed body.

Step 4: Retrieve the Public Key

Fetch the JSON Web Key Set (JWKS) from our public endpoint: https://api.shipengine.com/jwks

The JWKS endpoint returns a standard RFC 7517 JSON Web Key Set containing our public keys. Find the key in the JWKS whose kid (key ID) matches the x-shipengine-rsa-sha256-key-id header value.

The set of keys does not change very often, so it is generally safe to cache the JWKS response for a long period of time. If you receive a webhook request with a x-shipengine-rsa-sha256-key-id value that is not in your cached copy, you should fetch the latest JWKS. The response includes an ETag header, which you can pass in subsequent requests via the If-None-Match header. If the contents hasn't changed, our JWKS endpoint will respond with status 304. If it responds with a status 200, it means the JWKS has changed, has a new ETag, and you should update your cache.

ShipStation may periodically rotate our signing keys. As long as you follow these guidelines related to fetching the JWKS, you should not have any service interruption. A public key will always be present in the JWKS before we start using it for signing outgoing requests.

Step 5: Verify the Signature

To verify the signature, you must first construct the signed payload. This is the value that was hashed using our private key to produce the signature. The signed payload is constructed by concatenating the value from the timestamp header, a literal period (.), followed by the raw request body.

Example:

2025-10-02T04:51:00Z.{"resource_url":"https://api.shipengine.com/example","resource_type":"EXAMPLE"}

Use an RSA SHA-256 validation function on this signed payload, along with the public key from the previous step, to verify the signature.

If the signature validation fails, you should respond with an HTTP status 401, and discard the payload without any further processing.

Example

We've included a full working example of a NodeJS server that receives and validates webhooks, so that you can use it as a reference in your own implementation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
const crypto = require('crypto');


// Cache for JWKS (in production, use a proper caching mechanism)
let jwksCache = null;
let jwksCacheETag = null;


class MissingHeadersError extends Error {}
class TimestampError extends Error {}
class SignatureError extends Error {}


/**
 * Validates webhook signature
 * @throws {MissingHeadersError} When required headers are missing (should return 404)
 * @throws {TimestampError} When timestamp is out of range (should return 400)
 * @throws {SignatureError} When signature validation fails (should return 401)
 */
async function validateWebhookSignature(headers, rawBody) {
  const keyId = headers['x-shipengine-rsa-sha256-key-id'];
  const signature = headers['x-shipengine-rsa-sha256-signature'];
  const timestamp = headers['x-shipengine-timestamp'];


  if (!keyId || !signature || !timestamp) {
    throw new MissingHeadersError('Missing required signature headers');
  }


  // Validate timestamp (5 minute window)
  const webhookTime = new Date(timestamp);
  const now = new Date();
  const ageMinutes = (now - webhookTime) / 1000 / 60;


  if (Math.abs(ageMinutes) > 5) {
    throw new TimestampError(`Webhook timestamp too old or too far in future: ${ageMinutes} minutes`);
  }


  // Get public key
  const publicKey = await getPublicKey(keyId);
  if (!publicKey) {
    throw new SignatureError(`Public key not found for kid: ${keyId}`);
  }


  // Construct signed payload
  const signedPayload = `${timestamp}.${rawBody}`;


  // Verify signature
  const verify = crypto.createVerify('RSA-SHA256');
  verify.update(signedPayload, 'utf8');
  verify.end();


  const isValid = verify.verify(
    publicKey,
    signature,
    'base64'
  );


  if (!isValid) {
    throw new SignatureError('Invalid webhook signature');
  }


  return true;
}




/**
 * Gets public key for a given key ID
 * Handles caching and automatic refresh if key not found
 * @returns Public key object or null if not found
 */
async function getPublicKey(keyId) {
  // Try to find in cached JWKS
  if (jwksCache) {
    const jwk = jwksCache.keys.find(k => k.kid === keyId);
    if (jwk) {
      return jwkToPem(jwk);
    }
  }


  // Key not found in cache, fetch fresh JWKS
  jwksCache = null;
  const jwks = await fetchJWKS();
  const jwk = jwks.keys.find(k => k.kid === keyId);


  if (!jwk) {
    return null; // Key not found
  }


  return jwkToPem(jwk);
}


/**
 * Fetches the JWKS from ShipEngine
 */
async function fetchJWKS() {
  const headers = {};
  if (jwksCacheETag) {
    headers['If-None-Match'] = jwksCacheETag;
  }


  const response = await fetch('https://api.shipengine.com/jwks', {
    method: 'GET',
    headers
  });


  if (response.status === 304 && jwksCache) {
    // Not modified, use cache
    return jwksCache;
  }


  if (!response.ok) {
    throw new Error(`Failed to fetch JWKS: ${response.status}`);
  }


  jwksCache = await response.json();
  jwksCacheETag = response.headers.get('etag');


  return jwksCache;
}


/**
 * Converts JWK to PEM format public key
 */
function jwkToPem(jwk) {
  const modulus = Buffer.from(jwk.n, 'base64');
  const exponent = Buffer.from(jwk.e, 'base64');


  // Create public key from modulus and exponent
  const key = crypto.createPublicKey({
    key: {
      kty: 'RSA',
      n: jwk.n,
      e: jwk.e
    },
    format: 'jwk'
  });


  return key;
}


// Express.js middleware example
function webhookValidationMiddleware(req, res, next) {
  // Capture raw body
  let rawBody = '';


  req.on('data', (chunk) => {
    rawBody += chunk.toString('utf8');
  });


  req.on('end', async () => {
    try {
      await validateWebhookSignature(req.headers, rawBody);
      req.body = JSON.parse(rawBody); // Now safe to parse
      next();
    } catch (error) {
      console.error('Webhook validation failed:', error.message);


      if (error instanceof MissingHeadersError) {
        res.status(404).send();
      } else if (error instanceof TimestampError) {
        res.status(400).json({ error: error.message });
      } else if (error instanceof SignatureError) {
        res.status(401).json({ error: 'Invalid webhook signature' });
      } else {
        res.status(500).json({ error: 'Internal server error' });
      }
    }
  });
}


const express = require('express');
const app = express();
app.post('/webhook', webhookValidationMiddleware, (req, res) => {
  // Process validated webhook
  console.log('Validated webhook:', req.body);
  res.status(200).send('OK');
});


const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
  console.log(`Webhook server listening on port ${PORT}`);
});




// How to run:
// 1. Save this entire code block into a file named server.js
// 2. npm install --save express
// 3. npm start

Webhook Payloads

Example payloads for each type of webhook are provided below. You can expect to receive a message with the same structure as these examples whenever you subscribe to the corresponding event. You'll notice that each payload includes a resource_type and a resource_url. Some payloads will contain additional information as well.

When ShipStation API dispatches a webhook, we allow 10 seconds for you to acknowledge you have successfully received the payload (your listener should return a 2xx response to us). If we don't receive an acknowledgement within 10 seconds, the system will put the payload back into the queue and make a maximum of two additional attempts to dispatch the given payload. These attempts are typically separated by 30 minutes. However, this can swap to other timing intervals under certain conditions. If all three attempts receive no response, the event will be removed from the dispatch queue.

Example Batch Event Payload

{
  "resource_url": "https://api.shipengine.com/v1/batches/se-1013119",
  "resource_type": "API_BATCH"
}

Example Track Event Payload

{
  "resource_url": "https://api.shipengine.com/v1/tracking?carrier_code=usps&tracking_number=9400111298370264401222",
  "resource_type": "API_TRACK",
  "data": {
    "label_url": null,
    "tracking_number": "9400111298370264401222",
    "status_code": "IT",
    "carrier_detail_code": null,
    "status_description": "In Transit",
    "carrier_status_code": "NT",
    "carrier_status_description": "Your package is moving within the USPS network and is on track to be delivered the expected delivery date. It is currently in transit to the next facility.",
    "ship_date": "2020-06-30T16:09:00",
    "estimated_delivery_date": "2020-07-06T00:00:00",
    "actual_delivery_date": null,
    "exception_description": null,
    "events": [
      {
        "occurred_at": "2020-07-02T00:00:00Z",
        "carrier_occurred_at": "2020-07-02T00:00:00",
        "description": "In Transit, Arriving On Time",
        "city_locality": "",
        "state_province": "",
        "postal_code": "",
        "country_code": "",
        "company_name": "",
        "signer": "",
        "event_code": "NT",
        "event_description": "In Transit, Arriving on Time",
        "carrier_detail_code": null,
        "status_code": null,
        "latitude": null,
        "longitude": null
      },
      {
        "occurred_at": "2020-06-30T20:09:00Z",
        "carrier_occurred_at": "2020-06-30T16:09:00",
        "description": "Shipment Received, Package Acceptance Pending",
        "city_locality": "VERSAILLES",
        "state_province": "KY",
        "postal_code": "40383",
        "country_code": "",
        "company_name": "",
        "signer": "",
        "event_code": "TM",
        "event_description": "Shipment Received, Package Acceptance Pending",
        "carrier_detail_code": null,
        "status_code": null,
        "latitude": 37.8614,
        "longitude": -84.6646
      }
    ]
  }
}

Example Rate Event Payload

{
  "resource_url": "https://api.shipengine.com/v1/shipments/se-2120221/rates",
  "resource_type": "API_RATE"
}

Example Carrier Connected Event Payload

{
  "resource_url": "https://api.shipengine.com/v1/carriers/se-1234",
  "resource_type": "API_CARRIER_CONNECTED"
}

Example Sales Order Imported Event Payload (Beta)

{
  "resource_url": "https://api.shipengine.com/v-beta/sales_orders",
  "resource_type": "API_SALES_ORDERS_IMPORTED",
  "data": [
  {
    "sales_order_id": "2078df4d-49c1-53da-837a-ad2781b782e0",
    "external_order_id": "611699195963",
    "external_order_number": "SH21622",
    "order_source":
      {
        "order_source_id": "4e4af80f-6974-48b6-b88f-e46f1c2a0b28",
        "order_source_nickname": "Shippity Shop Shopify",
        "order_source_code": "shopify",
        "order_source_friendly_name": "Shopify",
        "refresh_info":
        {
          "status": "idle",
          "last_refresh_attempt": "2018-09-12T19:29:21.657Z",
          "refresh_date": "2018-09-12T19:29:16.837Z"
        },
        "active": true
      },
      "sales_order_status":
      {
        "payment_status": "paid",
        "fulfillment_status": "unfulfilled",
        "is_cancelled": false
      },
      "order_date": "2018-09-12T19:18:12Z",
      "created_at": "2018-09-12T19:29:18.69Z",
      "modified_at": "2018-09-12T19:29:18.69Z",
      "payment_details":
      {
        "subtotal":
        {
          "currency": "usd",
          "amount": 40.0
        },
        "estimated_shipping":
        {
          "currency": "usd",
          "amount": 0.0
        },
        "estimated_tax":
        {
          "currency": "usd",
          "amount": 0.0
        },
        "grand_total":
        {
          "currency": "usd",
          "amount": 40.0
        }
      },
      "customer":
      {
        "name": "Amanda Miller",
        "phone": "555-555-5555",
        "email": "[email protected]"
      },
      "bill_to":
      {
        "email": "[email protected]",
        "address":
        {
          "name": null,
          "phone": null,
          "company_name": null,
          "address_line1": "",
          "address_line2": null,
          "address_line3": null,
          "city_locality": null,
          "state_province": null,
          "postal_code": null,
          "country_code": null,
          "address_residential_indicator": "no"
        }
      },
      "ship_to":
      {
        "name": "Amanda Miller",
        "phone": "555-555-5555",
        "address_line1": "525 S Winchester Blvd",
        "city_locality": "San Jose",
        "state_province": "CA",
        "postal_code": "95128",
        "country_code": "US",
        "address_residential_indicator": "yes"
      },
      "sales_order_items": [
      {
        "sales_order_item_id": "6f8f3f51-7a5a-50b2-a842-d6e89a5b5b26",
        "line_item_details":
        {
          "name": "Bubble Popper 4XL",
          "sku": "BUB-1-T",
          "weight":
          {
            "value": 2.8,
            "unit": "ounce"
          }
        },
        "ship_to":
        {
          "name": "Amanda Miller",
          "phone": "555-555-5555",
          "address_line1": "525 S Winchester Blvd",
          "city_locality": "San Jose",
          "state_province": "CA",
          "postal_code": "95128",
          "country_code": "US",
          "address_residential_indicator": "yes"
        },
        "requested_shipping_options":
        {
          "shipping_service": null,
          "ship_date": null
        },
        "price_summary":
        {
          "unit_price":
          {
            "currency": "usd",
            "amount": 40.0
          },
          "estimated_tax":
          {
            "currency": "usd",
            "amount": 0.0
          },
          "estimated_shipping": null,
          "total":
          {
            "currency": "usd",
            "amount": 40.0
          }
        },
        "quantity": 1,
        "is_gift": false
      }]
  }]
}

Example Order Source Refresh Complete Event (Beta)

{
  "resource_url": "https://api.shipengine.com/v-beta/stores/se-0bdf1f26-5708-4e0b-a548-fd2a5720779f",
  "resource_type": "API_ORDER_SOURCE_REFRESH_COMPLETE"
}

Example Report Complete Event Payload

{
  "resource_url": "https://api.shipengine.com/adjustments/se-0bdf1f26-5708-4e0b-a548-fd2a5720779f",
  "resource_type": "API_REPORT_COMPLETE"
}