Populi Account Admins have the ability to create webhooks by clicking their profile picture in the upper right and then navigating to Account & Settings > Account > Webhooks.
They can then click Add Webhook to subscribe to notifications from dozens of different events that occur every day in Populi - for example whenever a financial transactions is voided or a new user is created.
If you don't add any conditions you'll receive the webhook every time it's fired, but often you'll want to limit the webhooks you receive by adding multiple condition groups, each of which can be "all conditions must match" or "any condition must match".
Below conditions you'll enter the URL, any expanded properties you want added to the main response, and optionally an HTTP method other than the default GET.
But how does your web application decide if a webhook was really from Populi or not? The answer is by using the Populi-RSA-SHA256-Signature header. Populi currently signs all webhooks with the following public key using a hex encoded RSA SHA256 signature:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
Verifying this signature depends on the language you're using, but will look something like this:
def valid_signature_for( message, signature : String )
public_key = OpenSSL::PKey::RSA.new POPULI_PUBLIC_KEY, is_private: false
public_key.verify(OpenSSL::Digest.new("SHA256"), signature.hexbytes, message)