Webhook 2: Chat Notifications


Events chat

Instaleap only reports the messages that originated on your side and destinated to the client.

The InstaLeap chat notifications webhook enables your system to show notifications related to the chat embedded on the Live Status Widget. Remember that a webhook works like a reverse API and you would have to provide a POST URL in which our systems are going to notify new messages. Each message sent by pickers, drivers, or support agents POST a new event to your endpoint.


Use the jobId to deep-link the push notification to the view in your app.


In order to protect your systems from external attacks, InstaLeap signs the webhook events it sends to your endpoints. We do so by including a signature in each event’s InstaLeap-Signature header. We have different security options that you can select to recognize where the events come from:

1. Security Instaleap signature:

This allows you to verify that the events were sent by InstaLeap, not by a third party. You can verify signatures using standard libraries such as crypto for NodeJS. The hash algorithm used is SHA-256 and it is hashed with a secret provided to you by InstaLeap for each environment.

How to check the signature?

To verify that the InstaLeap-Signature is valid, please follow these steps:

  1. Once you receive the request, create a string joining id, created_at, and type by an & character from the event payload.
  2. Hash the string with the secret provided to you, using an SHA-256 algorithm.
  3. Compare the resulting hash with the InstaLeap-Signature header.
  4. If the signature is correct, process the event in your system.

2. Static token:

To implement this type of authentication you should send two requirements:

  • Header: The header name where you want us to send the auth token.
  • Token: The static token that you want us to send to your services to perform the auth.

3. DynamicToken:

To implement this type of authentication we need the below requirements:

  • RenewURL: The URL where we should request new dynamic tokens.
  • Credentials: The credentials we should send to the renewURL to retrieve new dynamic tokens. This can be headers and body credentials depending on your auth server.
  • formatOfCredentials: The format in which we should send the credentials to the renewURL. It can be JSON or formData.
  • Response: The details of the response we will receive from auth server. The status code expected, the body expected, and the field name of the body where the dynamic token is located.

For DynamicToken we recommend you send us a Postman collection tested and work with his auth server to make things easier.


formatOfCredentials - DynamicToken

We only support these formats:
• formData
• urlEncoded

    "client_id": "string",
    "created_at": "2021-08-05T00:54:27.918Z",
    "sender": "SH",
    "job_id": "string",
    "notification_message": "Hi my name is Jose"
Click Try It! to start a request and see the response here!