Additional Fees Apply
Webhook Overview
A lightweight webhook on the Corrigo Sync platform, allowing for an integration administrator to set which events to listen for and set the webhook URL endpoint for the data to be shared. This solution is designed to enable client development teams to build a self-serve integration that relies on Corrigo system events for a real-time bi-directional workflow.
The Corrigo Webhook requires both API provisioning for the applicable database and a subscription to the Corrigo Sync platform. Contact your account representative for details on implementation.
Visit JLLT University for more information on Corrigo Sync
Corrigo Webhook Configuration
Event Subscriptions
Select Categories of subscriptions by checking the box next to the module. Next select the specific trigger(s) for the subscription.
Clicking the blue Info icon on each module will open a dialogue box with a sample payload for that module. Each module has a specific payload structure indexed to the base object. All entities and field definitions may be found in the Data Model of Entities section of the Corrigo Developer site.
Available Events
Enter the URL for all transactions in this webhook subscription to be sent. Signing Key is a client defined string (max of 64 characters) used as a shared secret for the HMAC authentication process
| Event Category | Event Category Description |
|---|---|
| Work Order Updates | Create Pick Up (Accept/Acknowledge) Start (Check-In) Stop (Check-Out) On Hold Re-Open Cancel Complete Verified Assigned/Re-Assigned Attention (Flagged) Flag Cleared Schedule Start Date Updated |
| Work Order Estimate | Estimate Rejected Estimate Approved |
| Work Order Costs | Vendor Invoice Status Changed Internal Costs Status Changed |
| Work Order Note | WO Note is added |
| Work Order Attachment | Attach document to Work Order |
Sample Payload for Work Order Updates
{
"Entities": [
{
"Data": {
"Number": "SBG00001",
"TypeCategory": "Request",
"WorkOrderCost": {
"Id": 1022288
},
"Priority": {
"Id": 3
},
"StatusId": "Completed",
"Access": "NotApplicable",
"MainAsset": {
"Id": 518770
},
"ShortLocation": "Services",
"TaskRefinement": "HVAC Services:Air Conditioning/Heater Repair (non-emergency)",
"WorkZone": {
"DisplayAs": "South Beverly Grill",
"Number": "southbevgrill",
"CustomFields": [
],
"ConcurrencyId": 3,
"Id": 449
},
"Employee": {
"DisplayAs": "Test McTesterson",
"ActorTypeId": "Employee",
"Number": "",
"ConcurrencyId": 10,
"Id": 3708
},
"Duration": 0,
"VendorNte": {
"CurrencyTypeId": "USD",
"Value": 0.0
},
"Specialty": {
"DisplayAs": "HVAC",
"WONServiceId": 12,
"Instructions": "",
"IsNteAuto": true,
"IsRemoved": false,
"ConcurrencyId": 5,
"Id": 10001
},
"PoNumber": "323727857",
"SubType": {
"DisplayAs": "Request",
"TypeId": "Request",
"ConcurrencyId": 5,
"Id": 259
},
"Customer": {
"Name": "South Beverly Grill",
"TenantCode": "sbg102",
"CustomFields": [
{
"Descriptor": {
"Name": "SC Location Number",
"ConcurrencyId": 1,
"Id": 434
},
"Value": "102",
"Id": 663242
}
],
"ConcurrencyId": 5,
"Id": 776
},
"ContactName": "",
"WonId": 0,
"IsWarranty": false,
"Flag": {
"DisplayAs": "New or Missing Equipment",
"ActionId": "Attention",
"ConcurrencyId": 1,
"Id": 3340
},
"FlagId": 3340,
"TimeZone": 4,
"CurrencyTypeId": "USD",
"LastActionDate": "2025-09-11T15:22:05.92",
"DtCreated": "2025-08-28T06:20:40.16",
"DtDue": "2025-09-04T06:20:00",
"DtAcknowledgeBy": "2025-08-29T06:20:00",
"AcknowledgeByUtc": "2025-08-29T13:20:00",
"LastActionDateUtc": "2025-09-11T22:22:05.92",
"CreatedDateUtc": "2025-08-28T13:20:40.16",
"DueDateUtc": "2025-09-04T13:20:00",
"DtOnSiteBy": "2025-08-29T06:20:00",
"DtUtcOnSiteBy": "2025-08-29T13:20:00",
"LastAction": {
"Id": 1022288,
"LastAction": {
"TypeId": "Complete",
"Actor": {
"Id": 1,
"TypeId": "Employee"
},
"ActionDate": "2025-09-11T15:22:05.92",
"Comment": "Completion note",
"SystemDateUtc": "2025-09-11T22:22:05.92",
"Id": 8174542
}
},
"Items": [
{
"Asset": {
"Name": "HVAC Services",
"Attributes": [
{
"Descriptor": {
"Name": "JACS ID",
"ConcurrencyId": 129,
"Id": 10155
},
"Value": "ABC123",
"ConcurrencyId": 1,
"Id": 5944125
}
],
"Id": 518772
},
"Task": {
"DisplayAs": "Air Conditioning/Heater Repair (non-emergency)",
"ConcurrencyId": 1,
"Id": 33897
},
"Comment": "",
"ConcurrencyId": 1,
"Id": 1090522
}
],
"Notes": [
{
"CreatedDate": "2025-08-28T06:20:42",
"Body": "Service Request has been dispatched to LF Incorporated LLC via [email protected] with USD 1000.00 NTE.",
"WorkOrderId": 1022288,
"NoteTypeId": "Public",
"CreatedBy": {
"Id": 3702,
"TypeId": "Employee"
},
"Id": 991149
}
],
"CompletionNote": {
"CreatedDate": "2025-09-11T15:20:35",
"Body": "Completion note",
"WorkOrderId": 1022288,
"NoteTypeId": "Completion",
"CreatedBy": {
"Id": 1,
"TypeId": "Employee"
},
"Id": 991150
},
"Documents": [
{
"Description": "",
"Title": "singer",
"StartDate": "2025-08-29T00:00:00",
"UpdatedDate": "2025-08-29T10:43:47",
"IsShared": true,
"IsPublic": false,
"DocUrl": "https://enterpriseam.s3.amazonaws.com/10721/4693ceb5-e877-4eb9-8032-efe2bac32cae/singer.jpg",
"MimeType": "image/jpeg",
"UpdatedBy": {
"Id": 1,
"TypeId": "Employee"
},
"ConcurrencyId": 1,
"Id": 262805
}
],
"CustomFields": [
{
"Descriptor": {
"Name": "SC Equipment",
"ConcurrencyId": 1,
"Id": 427
},
"Value": "ELEVATOR/ESCALATOR / HVAC / / HVAC Services / Test",
"Id": 684464
},
{
"Descriptor": {
"Name": "SC Problem Code",
"ConcurrencyId": 1,
"Id": 428
},
"Value": "HVAC Services",
"Id": 684465
},
{
"Descriptor": {
"Name": "SC Tracking #",
"ConcurrencyId": 1,
"Id": 429
},
"Value": "323727857",
"Id": 684466
},
{
"Descriptor": {
"Name": "SC Trade",
"ConcurrencyId": 1,
"Id": 430
},
"Value": "HVAC",
"Id": 684467
},
{
"Descriptor": {
"Name": "SC Category",
"ConcurrencyId": 1,
"Id": 431
},
"Value": "REPAIR",
"Id": 684468
}
],
"CheckInOuts": [
{
"EmployeeId": 3708,
"DtCheckIn": "2025-08-29T11:11:06",
"InCheckTypeId": "Gps",
"InStatusId": "Invalid",
"DtCheckOut": "2025-08-29T11:11:28",
"OutCheckTypeId": "Gps",
"OutStatusId": "Invalid",
"ConcurrencyId": 2,
"Id": 519765
}
],
"InductionAndSafetyStatusID": "NotApplicable",
"Score": 0,
"TravelTimeFrom": 0,
"TravelTimeTo": 0,
"ConcurrencyId": 12,
"Id": 1022288
}
}
],
"ActionType": "Create",
"ActionDate": "2021-04-28T07:13:05.05"
}Settings
Enter the URL for all transactions in this webhook subscription to be sent. Signing Key is a client defined string (max of 64 characters) used as a shared secret for the HMAC authentication process
HMAC Authentication
Purpose
The X-Webhook-Signature header contains a cryptographic signature that proves the authenticity of the webhook request. This header is automatically added to every webhook request sent from the Corrigo Sync integration.
What It Contains
Without validating this signature, your endpoint would have no way to verify that:
- The request actually came from Corrigo Sync (and not a malicious third party)
- The payload hasn't been altered during transmission
- The request is current and not a replay of an old legitimate request
By validating the signature, you ensure that only authorized webhook requests are processed by your system.
Step-by-Step Validation Process
Prerequisites
Before implementing webhook signature validation, ensure you have:
- The shared HMAC Signing Key - the same secret key configured in the Corrigo integration settings
- HMAC-SHA256 capability - Your platform must be able to compute HMAC-SHA256 hashes
- Access to raw request body - Your implementation must be able to read the raw, unparsed request body
- The signature header name - By default X-Webhook-Signature
- Extract the Signature from the Request Header
Read the signature value from the HTTP header (default: X-Webhook-Signature). If the header is missing, reject the request immediately as it indicates an unauthenticated request.
- Read the Raw Request Body
Capture the complete, raw request body as a string exactly as received. This is critical - the signature is computed against the raw JSON string, not the parsed data structure. Do not parse or modify the body before validation.
- Compute Your Own Signature
Using your stored copy of the HMAC secret, compute the HMAC-SHA256 signature of the raw request body:
- Convert both the secret and request body to UTF-8 byte arrays
- Compute the HMAC-SHA256 hash using the secret as the key and the body as the message
- Encode the resulting hash to Base64 format
- Compare Signatures
Compare the signature you received in the header with the signature you just computed. The signatures must match exactly.
- Handle the Validation
If signatures match: The request is authentic - proceed to process the webhook data
If signatures don't match: The request is unauthorized - reject it
NOTE: clicking Save in each section of the Settings page will invoke a network and login test using the data entered. A successful Save means the connection can be made and all information is validated. An error means one or more of the data points is incorrect or invalid