# Introduction (https://eulabel.eu/docs/webhooks/overview/introduction)

> Fetch the complete documentation index at: https://eulabel.eu/docs/llms.txt
> Use this file to discover all available pages before exploring further.
> Full content: https://eulabel.eu/docs/llms-full.txt
> Append .md to any page URL for markdown, or send Accept: text/markdown.



EUlabel supports two directions of webhook communication:

* **Inbound webhooks**: Your PIM or CMS sends product updates to EUlabel, which automatically regenerates passports
* **Outbound webhooks**: EUlabel sends event notifications to your systems when passports change or scan thresholds are reached

How it works [#how-it-works]

Register an endpoint [#register-an-endpoint]

    Add your webhook URL in the EUlabel dashboard or via the API. You'll receive a signing secret for verification.
Choose your events [#choose-your-events]

    Subscribe to the events you care about: `passport.created`, `passport.updated`, `scan.threshold`, and more.
Verify and process [#verify-and-process]

    Validate the `X-Webhook-Signature` header on every request, then process the payload idempotently.
Best practices [#best-practices]

* Verify signatures for every request.
* Respond with **2xx within 30s** to avoid retries.
* Make handlers **idempotent** (safe to process the same event more than once).

Event types [#event-types]

- [item.update / item.create](https://eulabel.eu/docs/webhooks/inbound-webhooks) — Inbound — PIM/CMS pushes product updates to EUlabel
- [passport.created](https://eulabel.eu/docs/webhooks/outbound-webhooks) — Outbound — a new passport was published
- [passport.updated](https://eulabel.eu/docs/webhooks/outbound-webhooks) — Outbound — an existing passport was modified
- [passport.deleted](https://eulabel.eu/docs/webhooks/outbound-webhooks) — Outbound — a passport was removed
- [scan.threshold](https://eulabel.eu/docs/webhooks/outbound-webhooks) — Outbound — scan count crossed a configured threshold
Signature verification [#signature-verification]

> **Error**
> **Always verify webhook signatures** before processing payloads. Unverified webhooks can be spoofed by an attacker to inject malicious data into your system.

All webhooks (inbound and outbound) include a cryptographic signature for verification:
```text
X-Webhook-Signature: sha256=<HMAC-SHA256 of request body>
```

> **Note**
> Header names may differ slightly between inbound and outbound integrations. Always follow the exact header name documented on the specific inbound/outbound page.

See [Inbound webhooks](https://eulabel.eu/docs/webhooks/inbound-webhooks) and [Outbound webhooks](https://eulabel.eu/docs/webhooks/outbound-webhooks) for implementation details.