Skip to main content
Webhooks allow you to receive real-time notifications about events happening in your connected accounting systems. This enables you to automate workflows and keep your data in sync without the need for constant polling.

Unified Webhooks

Maesn supports a single, unified webhook type for all systems. Endpoint url : POST /webhooks Subscriptions are created per customer, so each customer events is received through the related subscription. Requires both the X-API-KEY and the X-ACCOUNT-KEY in the header. Systems that support customer-based webhooks:
  • businesscentral
  • exact-nl
  • freshbooks
  • lexware-office
  • moneybird
  • qonto
  • quickbooks
  • weclapp
  • xero

Setting up a webhook

To set up a webhook, you need to create a subscription by sending a POST request to the /webhooks endpoint. The request body support the following parameters:
  • callbackUrl: The URL where you want to receive webhook events.
  • eventType: The type of event you want to subscribe to (e.g., CREATED, UPDATED, DELETED).
  • resource: The resource you want to monitor (e.g., INVOICE, CUSTOMER).
In each target system page, you can check the required input parameters for the request body.

Getting events

Once a webhook is set up, you will start receiving events at the specified callback URL. Each event will contain information about the resource that triggered the event, including its event type and ID. The received event body will look similar to this:
Example event body
{
    "eventType": "CREATED",
    "filterDate": "2023-10-01T00:00:00Z",
    "resource": "INVOICE",
    "resourceId": "bca91f06-0414-4b24-81fa-8489105afceb"
}
Note: for Business Central, Quickbooks and Xero the notification will be an array of objects.

Handling events

When your server receives a webhook event, it should process the event according to your application’s logic. This may involve updating records in your database, triggering other workflows, or sending notifications.

Deleting a webhook

If you no longer need a webhook, you can delete it by sending a DELETE request to the /webhooks/{webhookId}endpoint.

Webhook Authentication

All received events to the callback URL include an X-MAESN-SIGNATURE header containing an HMAC-SHA256 signature for verification.

How to Verify

  1. Get the signature from the X-MAESN-SIGNATURE header
  2. Compute HMAC-SHA256 of the raw request body using the webhook secret returned during webhook creation
  3. Compare the computed signature with the header value
Node.js
const crypto = require('crypto');

const expectedSig = crypto
  .createHmac('sha256', webhookSecret)
  .update(rawBody)
  .digest('hex');

const isValid = crypto.timingSafeEqual(
  Buffer.from(expectedSig),
  Buffer.from(headerSig)
);
Always use the raw request body before parsing JSON. Your webhook secret is provided when creating the webhook endpoint.
Last modified on February 13, 2026