Webhook payload On Document State Change

PandaDoc notifies your custom application endpoint when a PandaDoc document changes state.

A Webhook is a callback request from the PandaDoc API to an endpoint specified in your application. Use webhooks as pushed notifications of document events instead of polling various API endpoints for modified data.

Documents are processed asynchronously in PandaDoc. Instead of checking a document status by polling, PandaDoc can push document information to your application when a document changes state. We support multiple webhooks for one application.

Webhook data is in the form of an array and may contain a few notification objects at the same time.

👍

Webhook Setup

Setup a webhook for your application in the developer dashboard: https://app.pandadoc.com/a/#/settings/api-dashboard/configuration.

Basic information and recipient are always returned. fields, tokens, products, and pricing can be configured in webhook settings.

Webhooks Events

Event NameEvent Description
document_state_changedPandaDoc sends this event when a state of a document has been changed (e.g. document has been completed).
document_updatedPandaDoc sends this event when a new revision of a document has been added. Please take into account that a new revision is added with a document status change (e.g. draft->sent, sent-> draft)
recipient_completedPandaDoc sends this event when a recipient has completed a document. JSON payload additionally contains action_by and action_on fields with an information who and when completed a document.
document_deletedPandaDoc sends this event when a document has been removed.
document_creation_failedEvent is sent when document creation via API been failed.

Webhooks Debugging and Retries

You can use the Webhooks History tab to see all the request calls PandaDoc is making to your server and response statuses.

2748

Webhook History

2288

Webhook manual retries

PandaDoc does not currently have an automatic retry webhooks mechanism, nor a retry option available via API. If we receive an erroneous response from your web application, we won't retry the webhook post request again.

🚧

Webhooks timeouts

A connection timeout occurs after 5 seconds.
A read timeout occurs after 20 seconds.

Webhook Limits

🚧

Webhook subscription deactivation

We will deactivate your webhook subscription in case:

  1. your server responds with 410 error, or
  2. HTTP 4xx client errors and/or HTTP 5xx server errors occur for a period of 7 days

Webhooks Verification

When making a PandaDoc API request, your identity is confirmed by the access_token submitted in each request header. To make sure requests are valid and not a request spoofed as PandaDoc in your own application, we support webhook verification.

Using your shared key and a "signature,” you can verify the contents of a webhook are authentic and un-tampered.

Your shared key can be found in the Developer Dashboard part of your account settings.

🚧

Protect Your Shared Key

Treat your shared key like a password to prevent others from generating a webhook with a payload that could pass a signature verification test.

Webhooks are signed with a signature generated by taking an HMAC-SHA256 hash of the webhook post’s raw HTTP Body (UTF8 encoding). This signature is sent with the Webhook post as a query parameter in your URL by using the signature variable.

https://yourdomain.com/webhook-handler/?signature={signature}
signature = hmac.new(str(shared_key), str(request_body), digestmod=hashlib.sha256).hexdigest()
signature = hash_hmac('sha256', $request_body, $shared_key);
public static bool VerifyHMACSHA256(string sharedKey, string source, string dest) {
    byte[] key = Encoding.UTF8.GetBytes(sharedKey);
    using (HMACSHA256 hmac256 = new HMACSHA256(key))
    {
         var hashedSource = hmac256.ComputeHash(Encoding.UTF8.GetBytes(source));
                   
         if (hashedSource == null || hashedSource.Length == 0)
         {
             return false;
         }

         var hmac = new StringBuilder();
         for (int i = 0; i < hashedSource.Length; i++)
         {
             // the format hex string should always be 2 characters
             hmac.AppendFormat("{0:x2}", hashedSource[i]);
         }

         return hmac.ToString().Equals(dest);
    }
}
const hmac = crypto.createHmac('sha256', sharedKey);

hmac.update(requestBody);

const signature = hmac.digest('hex');

IP safelist

Please find below IPs from where you can safely accept PandaDoc webhooks events:

  • 52.12.31.116/32
  • 52.37.240.175/32
  • 35.167.41.246/32
Language
Authorization
OAuth2