Protocol and Security

  • The Webhooks (WH) notifications are sent as (REST) POST requests in the HTTP protocol over SSL only (HTTPS). Therefore, the application endpoint is required to be set up with a valid web-server SSL certificate.

  • Each WH notification request includes LivePerson standard headers which have the header name prefix of “x-liveperson-”.

  • The application endpoint is expected to immediately respond to each a notification request. A response delay of over 10 seconds will lead to a WH (client-side) timeout of that notification request.

  • The application endpoint is expected to respond with either a 200 or 201 response code to each a notification request. Any other response code will be considered as a notification request failure.


  • Each Webhook call will contain the following authentication headers:

    • x-liveperson-account-id: The unique LivePerson account identifier. Can be used to differentiate registration of different accounts, when the same url is used for multiple accounts.

    • x-liveperson-client-id: The unique client application identifier. The client_id that the consumer receives from their account manager after the App Installation process.

    • x-liveperson-signature: A token generated by signing the payload using the client-secret. A SHA1 signature of the payload and the client_secret (given by the account manager in the Application Installation process) preceded with “sha1=”. Here is an example how to calculate this signature in Java:

      Mac mac = Mac.getInstance("HmacSHAl");
      mac.init(**new** SecretKeySpec(
            System.out.println(Base64.getEncoder().encode(mac.doFinal("message payload".getBytes("UTF-8"))))