Overview
Root uses webhooks to let your application know when events happen, such as when a policy is issued, or a claim is opened. When the event occurs, Root queues an HTTP POST request to the URL you configured for the webhook. You can set this URL through the API. The request payload will include details of the event.
A webhook endpoint is a destination on your server that receives requests from Root. Add a new endpoint to your server and make sure it's publicly accessible so we can send unauthenticated POST requests.
For a step by step guide on how to set up a webhook on Root and verify incoming requests, go to our Webhook setup and verification tutorial.
Response from your server
When responding to the webhook request, your server must respond with a status code in 2XX range (200 - 299) to indicate a successful receipt. Any other status code will be treated as a failure on the Root platform, and the request will be retried (see below).
The request from Root will time out after 30 seconds. If your server fails to respond within the timeout window, the request will be retried.
Handle webhook events asynchronously
We strongly recommend that you configure your handler to process incoming events using an asynchronous queue. You might encounter scalability issues if you choose to process events synchronously. Any large spike in webhook deliveries might overwhelm your endpoint hosts.
Asynchronous queues allow you to process concurrent events at a rate your system can support. It also reduces your server's response time to the webhook request.
Verifying requests
Every webhook includes an X-Hook-Signature header, containing an HMAC digest value. This digest is generated using a combination of the unique webhook secret (as provided when creating a webhook) and the webhook payload, using sha1 as the hashing algorithm.
To verify that the payload has originated from the Root platform, you can generate an HMAC digest on your server, and compare it to the one provided in the headers. Below are some simple examples:
const secret = "B3a8y1WotX7glI7OxZhX5EAd_6UJ7YEvTJBNQzano4dHjntn9_5AlyPg-dzpX76A";
app.post('/', (req, res, next) => {
const signature = req.get("X-Hook-Signature");
const check = crypto.createHmac("sha1", secret);
check.update(req.body); // The raw (unparsed) request body string
const digest = check.digest("hex");
if (signature === digest) {
res.status(200).send();
} else {
res.status(401).send()
}
});
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.util.Formatter;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
public class HmacSha1Signature {
private static final String HMAC_SHA1_ALGORITHM = "HmacSHA1";
private static String toHexString(byte[] bytes) {
Formatter formatter = new Formatter();
for (byte b : bytes) {
formatter.format("%02x", b);
}
return formatter.toString();
}
public static String calculateRFC2104HMAC(String data, String key)
throws SignatureException, NoSuchAlgorithmException, InvalidKeyException
{
SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), HMAC_SHA1_ALGORITHM);
Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM);
mac.init(signingKey);
return toHexString(mac.doFinal(data.getBytes()));
}
public static void main(String[] args) throws Exception {
String hmac = calculateRFC2104HMAC("data", "key");
System.out.println(hmac);
assert hmac.equals("104152c5bfdca07bc633eebd46199f0255c9f49d");
}
}
As an additional verification step, you can optionally provide your own verification token when creating a webhook. This token will be included in all webhook payloads as verification_token.
Retries
If a webhook request fails or times out (after 30 seconds), the request will be retried at least once, with a an approximate delay between 5s and 40s.
Priority
Each webhook has a priority of 1 or 2. Attempts for priority 1 webhooks are prioritised over priority 2 webhooks.
Production webhooks are priority 1 by default. If an attempt fails, or the server takes more than 5 seconds to respond, the webhook is assigned priority 2. Once an attempt succeeds with a response time less than 5 seconds, the webhook is upgraded back to priority 1.
All sandbox webhooks are priority 2 and their priority is never updated.
Automatic disable behaviour
Root automatically disables failing webhooks that meet the following criteria over a period of 48 hours, 96 hours, or 2 weeks:
- At least 10 queue events were triggered
- A 100% failure rate
- At least 12 hours elapsed between the earliest and latest queue event
Queue events for disabled webhooks are stored as failed and you can retry them.
Event webhooks
The majority of webhook subscriptions available on the Root platform are related to events.
Payload structure
Each event webhook has the following payload structure:
| Property | Definition |
|---|---|
webhook_id | string. The unique ID of the webhook. |
event | object. The event data - see webhook events for available event types. |
verification_tokenoptional | string. An optional verification token token as provided during creating a webhook. |
environment | string. The dataset used by the webhook. Either sandbox or production. |
Certain webhooks contain additional top-level properties. For example, the policyholder_created webhook contains the policyholder object, and the policy_issued webhook contains the policy object.
Available subscriptions
The following events are available for subscription. An example of each event is documented on the events page.
If you want to subscribe to a webhook for an event not listed here, please submit an idea on our product roadmap portal describing your use case. We regularly review new ideas and will consider adding new subscriptions to the platform.
| Event | Description |
|---|---|
alteration_package_created | Indicates that an alteration package has been created on the policy. |
policy_issued | Indicates that a new policy has been issued. |
policy_cancelled | Indicates that a policy has been cancelled. |
policy_cancel_failed | Indicates that a policy has failed to be cancelled. |
policy_activated | Indicates that a policy has received its first payment and is now active. |
policy_lapsed | Indicates that a policy has lapsed. |
policy_not_taken_up | Indicates that a policy has been marked as not taken up. |
policy_expired | Indicates that a policy has expired. |
policy_lapse_failed | Indicates that a policy has failed to be lapsed. |
policy_updated | Indicates that a policy has been updated. |
policy_reactivated | Indicates that a policy has been reactivated. |
policy_requoted | Indicates that a policy has been requoted. |
policy_beneficiaries_updated | Indicates that a policy's beneficiaries have been updated. |
policy_covered_people_updated | Indicates that a policy's covered people have been updated. |
policyholder_created | Indicates that a policyholder has been created. |
policyholder_updated | Indicates that a policyholder has been updated. |
quote_package_created | Indicates that a new quote has been created. |
application_created | Indicates that a new application has been created. |
application_updated | Indicates that an application has been updated. |
claim_opened | Indicates that a new claim has been opened. |
claim_sent_to_review | Indicates that a claim has been sent to review. |
claim_approved | Indicates that a claim has been approved. |
claim_repudiated | Indicates that a claim has been repudiated. |
claim_paid_out | Indicates that a claim has been paid out. |
claim_linked_to_policy | Indicates that a claim has been linked to a policy. |
claim_approval_acknowledged | Indicates that the decision to approve a claim has been accepted by the supervisor. |
claim_goodwill_acknowledged | Indicates that the decision to approve a claim as goodwill has been accepted by the supervisor. |
claim_no_claim_acknowledged | Indicates that the decision to reject a claim has been accepted by the supervisor. |
claim_repudiation_acknowledged | Indicates that the decision to repudiate a claim has been accepted by the supervisor. |
text_note_created | Indicates that a note has been added to a claim. |
attachment_archived | Indicates that an attachment on a claim has been archived. |
claim_checklist_item_checked | Indicates that a claim checklist item has been changed. |
attachment_created | Indicates that an attachment has been added to a claim. |
claim_checklist_item_note_created | Indicates that a note has been added to a claim checklist item. |
claim_approval_not_acknowledged | Indicates that the decision to approve a claim has been rejected by the supervisor. |
claim_goodwill_not_acknowledged | Indicates that the decision to approve a claim as goodwill has been rejected by the supervisor. |
claim_no_claim_not_acknowledged | Indicates that the decision to reject a claim has been rejected by the supervisor. |
claim_repudiation_not_acknowledged | Indicates that the decision to repudiate a claim has been rejected by the supervisor. |
claim_goodwill | Indicates that a claim has been approved as goodwill. |
claim_no_claim | Indicates that a claim has been rejected. |
claim_reopened | Indicates that a claim has been reopened. |
claim_updated | Indicates that a claim has been updated. |
claimant_updated | Indicates that a claimant on a claim has been updated. |
complaint_opened | Indicates that a new complaint has been opened. |
payment_method_assigned | Indicates that a payment method has been saved on a policy. |
payment_created | Indicates that a payment has been created |
payment_failed | Indicates that a payment has failed. |
payment_succeeded | Indicates that a payment has succeeded. |
payment_reversed | Indicates that a payment has been reversed. |
payment_updates_succeeded | Indicates that an attempt to update payments async succeeded |
payment_updates_failed | Indicates that an attempt to update payments async failed |
Notification webhooks
These webhooks relate to customer notifications - email and SMS notifications that go out to policyholders and claimants.
Payload structure
Notification webhooks have the following payload structure:
| Property | Definition |
|---|---|
webhook_id | string. The unique ID of the webhook. |
verification_tokenoptional | string. An optional verification token token as provided during creating a webhook. |
environment | string. The dataset used by the webhook. Either sandbox or production. |
notification | object. The notification object. |
Available subscriptions
The following webhook subscriptions are available for notifications:
| Subscription name | Description |
|---|---|
notification_created | Indicates that a notification entity has been created created and stored on the Root platform. This does not, in and of itself, indicate that the notification has been sent or will be sent by the Root platform. |
notification_sent | Indicates that a notification (email, SMS or other) has been successfully sent by the Root platform. |