Webhook guidelines
If you follow the Corvina applications guide, you will see that Corvina platform provides a webhook to notify your application when a new event occurs (installation and uninstallation are examples of that).
Each time Corvina platform sends a notification to your application, it will send a POST request to the webhook URL you provided. The request will contain a JSON payload with the event details (so the content-type is application/json). The request will also contain a standard Authorization header that contains a signed JWT token that you can verify using the public key provided by Corvina platform (available at https://instance-auth-url.io/auth/realms/your-realm-name/.well-known/openid-configuration).
Retry policy
If your application is not available when Corvina platform sends a notification, Corvina platform will retry the notification 3 times with an exponential backoff. Currently the retry policy is configured to retry after 1, 3 and 9 seconds (but we reserve to slightly change that in the future).
We execute a retry only if the response status code is 429 or 5xx. If the response status code is 4xx, we don't retry.
Timeout
The timeout for the webhook is 7 seconds. If your application takes more than 7 seconds to process the notification, Corvina platform will consider the notification as successful and will not retry it.
It's perfectly fine if your application needs more time to process the notification to execute the processing in a background job and return a 202 response code. This way Corvina platform will not retry the notification. If you want a most reliable way to process the notification, you can use an internal queue system instead of a background job.
Security
The webhook is a public endpoint, so you should take care of the security of your application. We recommend to validate the Authorization header and the payload signature using the public key provided by the Corvina platform.