DropLinkDocsGet it on Shopify →

Webhooks

DropLink can POST to your endpoints in real time when things happen to your links. Available on the Growth plan — register endpoints in Settings → Webhooks inside the app.

Events

Event Fires when data payload
link.created A link is created (dashboard or API) { "link": { "id", "title", "shortCode" } }
link.updated A link is edited { "link": { "id", "title", "shortCode" } }
link.deleted A link is deleted via the API { "link": { "id", "title", "shortCode" } }
link.clicked A buyer follows a short link { "linkId", "shortCode", "referrer"? }
conversion.recorded A Shopify order is attributed to a link { "linkId", "shortCode", "orderId", "orderTotal", "isSubscription" }

Delivery format

Every delivery is an HTTPS POST with a JSON envelope:

{
  "event": "conversion.recorded",
  "timestamp": "2026-06-10T12:00:00.000Z",
  "data": {
    "linkId": "01JD...",
    "shortCode": "abc1234",
    "orderId": "gid://shopify/Order/123",
    "orderTotal": 49.5,
    "isSubscription": true
  }
}

Headers:

X-DropLink-Event:      conversion.recorded
X-DropLink-Signature:  sha256=<hex HMAC-SHA256 of the raw request body>

Verifying signatures

Each endpoint gets a secret at registration (shown once). Compute an HMAC-SHA256 of the raw request body with that secret and compare it to the signature header using a constant-time comparison:

// Node.js
const crypto = require("node:crypto");

const expected =
  "sha256=" +
  crypto.createHmac("sha256", WEBHOOK_SECRET).update(rawBody).digest("hex");

const valid = crypto.timingSafeEqual(
  Buffer.from(req.headers["x-droplink-signature"]),
  Buffer.from(expected)
);

Reject anything that doesn't verify — the signature is your only proof the delivery came from DropLink.

Delivery rules

  • Respond with a 2xx within 5 seconds to acknowledge.
  • Failures and timeouts are retried up to 3 times with exponential backoff (0.5s, 1s, 2s).
  • 4xx responses are not retried — they're treated as a permanent rejection.
  • After 10 consecutive failures the endpoint is auto-disabled; re-enable it from Settings → Webhooks once your endpoint is healthy.
  • Deliveries are at-least-once: design your consumer to be idempotent (the orderId / linkId fields make good dedupe keys).

Recent delivery attempts — status codes, response times, and errors — are visible per endpoint in Settings → Webhooks.