HTTP headers

Webhook updates include a set of HTTP headers, some of which are standard HTTP headers and some of which are Toast-specific. This section provides more details on both types.

Toast-specific HTTP headers

The following table describes the Toast-specific HTTP headers included with webhook events.

Header Description


As a security measure, all webhook messages contain a signature in the Toast-Signature HTTP header. A webhook endpoint uses the Toast-Signature header to confirm that a webhook update message is coming from a known, secure source. See Message signing for more details.


The type of event that has occurred, for example, a partner_added event for the partners webhook or a low_quantity event for the stock webhook.


If the triggering event has occurred at a restaurant, the GUID of that restaurant is included in the Toast-Restaurant-External-ID HTTP header, for example, if the webhook update is for a low_quantity event, this header identifies the restaurant where the inventory quantity is low. This header is omitted if the triggering event has not occurred at a restaurant, for example, the header is omitted for the Partners webhook event types because those events are triggered by changes to a partner's status, not changes to a restaurant's status.


The event category, for example, partners or stock.

Standard HTTP headers

In addition to the Toast-specific HTTP headers, webhook events include the standard HTTP headers shown in the table below. For more detailed information on these headers, see

Header Value






The size of the message body, in bytes.




The domain name and port of the server that is listening for webhook events. Generated from the partner URI that is specified when a webhook subscription is created.


Apache-HttpClient/4.5.10 (Java/1.8.0_212)