Webhook Payload

PandaDoc notifies your custom application endpoint when a PandaDoc document or template changes state.

A Webhook is a callback request from the PandaDoc API to an endpoint specified in your application. Use webhooks as pushed notifications of document events instead of polling various API endpoints for modified data.

Documents are processed asynchronously in PandaDoc. Instead of checking a document status by polling, PandaDoc can push document information to your application when a document changes state. We support multiple webhooks for one application.

Webhook data is in the form of an array and may contain several notification objects at the same time.

👍

Webhook Setup

Set up a webhook for your application in the developer dashboard: https://app.pandadoc.com/a/#/settings/api-dashboard/configuration.

A webhooks always returns basic information and recipient. You can configure fields, tokens, products, and pricing in the webhook settings.

Webhooks Events

Event NameEvent Description
document_state_changedChanged the state of a document (for example, a document has been completed).
document_updatedAdded a new revision of a document. Please take into account that a new revision is added with a document status change (for example, draft->sent, sent-> draft)
recipient_completedA recipient has completed a document. JSON payload additionally contains action_by and action_on fields with the information on who and when completed the document.
document_deletedA document has been removed.
document_creation_failedDocument creation via API failed.
quote_updatedA user clicked the Save button after updating a quote in the Quote Builder within PandaDoc.
template_createdA user have created a new template.
template_updatedA user have updated an existing template: changed its name, roles, or added new sections to the bundled content.

Webhooks Debugging and Retries

You can use the Webhooks History tab to see all the request calls PandaDoc is making to your server and response statuses.

2748

Webhook History

2288

Webhook manual retries

PandaDoc does not currently have an automatic retry webhooks mechanism, nor a retry option available via API. If we receive an erroneous response from your web application, we won't retry the webhook post request again.

🚧

Webhooks timeouts

A connection timeout occurs after 5 seconds.
A read timeout occurs after 20 seconds.

Webhook Limits

🚧

Webhook subscription deactivation

We will deactivate your webhook subscription in case:

  1. your server responds with 410 error, or
  2. HTTP 4xx client errors and/or HTTP 5xx server errors occur for a period of 7 days

Webhooks Verification

When making a PandaDoc API request, your identity is confirmed by the access_token submitted in each request header. To make sure requests are valid and not a request spoofed as PandaDoc in your own application, we support webhook verification.

Using your shared key and a "signature,” you can verify the contents of a webhook are authentic and un-tampered.

Your shared key can be found in the Developer Dashboard part of your account settings.

🚧

Protect Your Shared Key

Treat your shared key like a password to prevent others from generating a webhook with a payload that could pass a signature verification test.

Webhooks are signed with a signature generated by taking an HMAC-SHA256 hash of the webhook post’s raw HTTP Body (UTF8 encoding). This signature is sent with the Webhook post as a query parameter in your URL by using the signature variable.

https://yourdomain.com/webhook-handler/?signature={signature}
signature = hmac.new(str(shared_key), str(request_body), digestmod=hashlib.sha256).hexdigest()
signature = hash_hmac('sha256', $request_body, $shared_key);
public static bool VerifyHMACSHA256(string sharedKey, string source, string dest) {
    byte[] key = Encoding.UTF8.GetBytes(sharedKey);
    using (HMACSHA256 hmac256 = new HMACSHA256(key))
    {
         var hashedSource = hmac256.ComputeHash(Encoding.UTF8.GetBytes(source));
                   
         if (hashedSource == null || hashedSource.Length == 0)
         {
             return false;
         }

         var hmac = new StringBuilder();
         for (int i = 0; i < hashedSource.Length; i++)
         {
             // the format hex string should always be 2 characters
             hmac.AppendFormat("{0:x2}", hashedSource[i]);
         }

         return hmac.ToString().Equals(dest);
    }
}
const hmac = crypto.createHmac('sha256', sharedKey);

hmac.update(requestBody);

const signature = hmac.digest('hex');

IP safelist

Please find below IPs from where you can safely accept PandaDoc webhooks events:

  • 52.12.31.116/32
  • 52.37.240.175/32
  • 35.167.41.246/32
Language
Authorization
OAuth2