In the Intuit Developer portal, navigate to your app's Webhooks section and register an HTTPS endpoint URL that is publicly reachable.
Select the entities (e.g., Invoice, Payment, Customer) and event types (Create, Update, Delete, Void, Merge) you want to receive.
When a notification arrives, verify the payload by computing an HMAC-SHA256 of the raw request body using your webhook verifier token and comparing it to the intuit-signature header value.
Parse the JSON payload: each notification contains an array of realmId-grouped EventNotification objects, each with an array of dataChangeEvent entries that include entityName, id, and operation.
Respond with HTTP 200 immediately; if processing is async, queue the events and acknowledge receipt first to avoid duplicate deliveries.
Use the entity Id from the notification to fetch the full current record from the QBO API, since webhook payloads do not include changed field values.
Known gotchas
Failing to return HTTP 200 within a few seconds causes Intuit to retry the delivery multiple times; design your handler to be idempotent.
The verifier token shown in the Developer portal is distinct from the OAuth client secret; confusing them will cause every signature check to fail.
Webhook subscriptions expire and must be renewed; monitor for expiration notifications from Intuit to avoid missing events.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp