LifeSteala LifeSteala - 5 days ago 7
PHP Question

Bigcommerce - Developing an application in PHP - Webhooks

This is my very first application I'm developing for an internal business requirement and I'm needing some help getting started.

So far I have found their documentation to be quite low in terms of standards but with a lot of Googling and research, I've managed to get a successful request producing an Access Token.

I have used Composer to download Guzzle and create a little code that listens to a GET request and I POST some details up and received the token. Great!

What now? It looks like I need to register a web hook but first I want to start with listing hooks - just to get a feel for what I need to do next.

I'm looking to retrieve order details each time a order is placed.


  • I have a oauth.php file hosted on a SSL host which is called when I install a app. This gives me a token. Do I straight after receiving the token, register the web hook?

  • If that is a yes, do I now create a webhook.php file which listens for orders placed in real time?

  • If that is a yes, do I need to run the same code I have in oauth, to check if I'm allowed and if so, listen to the call and process?


Once you have an access token, you can create/list webhooks at any time. According to the sparse documentation, your access token will expire in 30-60 days, so you will need to eventually renew it.

Once you have created the webhook you will need a script in place to receive the incoming data from BigCommerce. If the webhook receives an HTTP code other than 200 from the script, it will attempt to repeat the request with a delay, and after a number of failures will eventually mark the hook as inactive.

You don't need any oauth related code on the script that is being triggered by webhooks. If you do want some form of authentication to verify the source of the data, look into the documentation on sending custom headers with the webhook requests. When the webhook triggers it will send a JSON object that contains the scope and ID of the resource that was changed.

It should be noted that while you need an HTTPS URL for both the oauth process and the webhook triggers, the webhook triggers will not work unless your SSL has all intermediate certificates loaded. You can get through the OAuth process without this, but the hooks will simply not work, to the extent of not even hitting your servers access logs.