Metorik Docs
Exports & Digests

Recurring exports by webhook

When exporting data from Metorik with a recurring export, you can choose webhook as the delivery method instead of email or Slack.

How it works

  • When the recurring export runs, Metorik sends a POST   request to your webhook URL.

  • The request body includes export details, a totals   object, and a temporary download URL for the generated file. You should automatically download the export from this URL when you accept the webhook.

  • The download URL is temporary and currently expires after 6 hours.

Webhook headers

Metorik always sends:

  • X-Metorik-Event: saved_export.ready

If you set a secret, Metorik also sends:

  • X-Metorik-Signature: <hmac sha256 signature>

Test webhooks

  • In the recurring export form, you can use Send test webhook to send a simulated payload to your webhook URL.

  • Test requests use X-Metorik-Event: saved_export.test.

  • If a secret is set, test requests also include X-Metorik-Signature.

Example webhook body

{
  "event": "saved_export.ready",
  "store_id": 123,
  "saved_export_id": 456,
  "export_id": 789,
  "name": "Weekly customers export",
  "resource": "customers",
  "frequency": "weekly",
  "generated_at": "2026-03-29T10:00:00Z",
  "date_range": {
    "start_date": "2026-03-22",
    "end_date": "2026-03-28"
  },
  "totals": {
    "count": 42
  },
  "download": {
    "url": "https://example.com/temporary-download-url",
    "expires_at": "2026-03-29T16:00:00Z"
  }
}

Using a secret

If you enter a secret in the recurring export settings, Metorik does not send the raw secret in the request body.

Instead, Metorik signs the full JSON payload and sends the signature in X-Metorik-Signature.

The signature is:

  • HMAC SHA-256

  • generated from the raw JSON request body

  • using your configured secret

Why use it

  • It helps verify the request really came from Metorik.

  • It helps verify the request body was not modified in transit.

How to verify the signature

  1. Read the raw request body exactly as sent.

  2. Generate your own HMAC SHA-256 using that raw body and your secret.

  3. Compare your result to the X-Metorik-Signature   header.

Example in PHP

$rawBody = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_METORIK_SIGNATURE'] ?? '';
$secret = 'your-signing-secret';
$expected = hash_hmac('sha256', $rawBody, $secret);

if (! hash_equals($expected, $signature)) {
    http_response_code(401);
    exit('Invalid signature');
}

// ok, download export now

Notes

  • Use the raw request body when verifying signatures, not a re-encoded JSON object.

  • If you do not set a secret, X-Metorik-Signature   is not sent.

  • The webhook body always includes the totals   object.

  • The file itself is not included in the webhook body; use download.url   to fetch it.

Was this helpful?