Create a webhook via the WooCommerce REST API by POSTing to `/wp-json/wc/v3/webhooks` with `name`, `topic` (e.g., `order.created`), `delivery_url`, and optionally `secret`.
WooCommerce generates a secret automatically if you don't provide one — retrieve it from the webhook object's `secret` field immediately after creation, as it is only shown once.
When a webhook fires, WooCommerce includes a `X-WC-Webhook-Signature` header containing a base64-encoded HMAC-SHA256 of the raw payload signed with the webhook secret.
In your handler, compute HMAC-SHA256 of the raw request body using the stored secret, base64-encode the result, and compare it to the header value using a constant-time comparison.
Respond with HTTP 200 within a short timeout to acknowledge delivery; WooCommerce marks webhooks as failed and eventually disables them after several consecutive delivery failures.
Re-enable a disabled webhook by sending a PUT to `/wp-json/wc/v3/webhooks/{id}` with `status: active`.
Known gotchas
WooCommerce webhooks are delivered synchronously during the request lifecycle on some hosting setups, which can cause slow customer-facing responses if your endpoint is slow — process asynchronously and return 200 quickly.
The webhook secret is only returned in the creation response; if you lose it, you must delete and recreate the webhook to get a new one.
Some managed WordPress hosts firewall outbound HTTP requests or impose strict timeout limits, causing delivery failures even when your endpoint is healthy — verify the host's outbound request capabilities.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp