Skip to main content
Webhooks allow Ownright to proactively notify your system when important events happen — without requiring you to constantly poll the API. They’re the best way to keep your platform in sync with activity on the Ownright platform as it evolves in real time.

🔔 What are webhooks?

A webhook is a lightweight HTTP request sent from Ownright to your server when a specific event occurs. For example, when a referral is converted into a matter, you’ll receive a webhook event immediately — no need to poll for updates. Webhooks enable:
  • Real-time updates to your internal systems
  • Triggering business logic or workflows (e.g. status sync, UI changes)
  • Scalable and event-driven integrations

🎯 Why we use webhooks

Real estate transactions move fast. Webhooks help you:
  • Stay informed the moment something progresses
  • Automatically update client records or timelines
  • Reduce polling overhead and keep your app performant

📬 Webhook subscriptions

To get started with webhooks you will need to create a “webhook subscription”. Webhook subscriptions allow you to register your server to receive specific events. Each subscription includes:
  • A callback URL: The endpoint Ownright will send events to
  • A list of event types the URL should receive
  • A webhook secret used to verify authenticity

Registering a webhook subscription

Webhook subscriptions are registered via the API. Refer to your API’s reference section for the specific mutations available. When creating a subscription, Ownright will:
  1. Generate a verification token
  2. Send an HTTP POST request to your callback URL with the token
  3. Expect a response with the same token in the body
If verification succeeds, the webhook subscription will be created and your callback URL will begin to receive events.

Verification example

Request sent by Ownright: 
POST /your/callback/url HTTP/1.1
Content-Type: application/json
X-Ownright-Webhook-Signature: signature
X-Ownright-Webhook-Timestamp: timestamp

{
  "verification_token": "abc123"
}
Expected response from your server: 
{
  "verification_token": "abc123"
}

📦 Receiving webhook events

When an event occurs, we send an HTTP POST request to your callback URL with a JSON payload.
HeaderHTTP Status
X-Ownright-Webhook-SignatureHMAC SHA256 signature of the request
X-Ownright-Webhook-TimestampTimestamp of the request (used to prevent replay attacks)

Verifying the webhook

To confirm that a webhook request is legitimate:
  1. Concatenate: "{timestamp}.{raw_request_body}"
  2. Hash it using HMAC SHA256 with your webhook secret
  3. Compare the result to the value in X-Ownright-Webhook-Signature
If they match, the event is authentic.
Tip: You can also use the timestamp to reject requests that are too old (e.g., more than 5 minutes) to guard against replay attacks.

🗂 Supported events

The specific events available depend on which API you are using. Refer to the Webhooks section in your API’s reference for the full list of supported events and their schemas.

💡 Best practices

  • Respond with a 2xx status code within 5 seconds to acknowledge receipt
  • Retry logic is built in — failed deliveries will be retried with exponential backoff
  • Your webhook URL should be HTTPS and publicly accessible
  • Always verify webhook signatures for security