Feature
Most catalogue sync plugins update stock on a schedule — hourly at best. That's fine for shops with replenishable inventory, but one-of-a-kind artwork doesn't get to wait an hour. Defyn SAM combines scheduled syncs with authenticated SAM webhooks, so a sale at the centre's in-gallery POS or via SAM's portal hits your online storefront within seconds.
Works on Shopify and WordPress / WooCommerce.
Stock is the one entity where freshness matters by the second. So we treat it differently from everything else in the catalogue.
Every stock webhook is signed with HMAC-SHA256 against a shared secret you configure in Settings. The signature is sent in the X-SAM-Signature header.
The webhook controller compares the signature against the configured secret using a constant-time string comparison. Mismatched signatures return HTTP 401 immediately — no payload is parsed.
The webhook payload includes a SAM product ID. The plugin queries for the WC product or Shopify variant with the matching sam_id meta. If no match (e.g. a SAM product that never synced), the event is logged and skipped.
Stock quantity, in/out-of-stock status, and any "sold" flag are updated in one database transaction. The change is immediately visible to shoppers — no cache flush required.
Every webhook receipt — successful or rejected — is logged with payload hash, signature verification result, target product ID, and final action. Visible in Tools → Webhook events for support diagnostics.
Scenario: An in-gallery customer pays for a $1,200 painting at the centre's POS at 11:43am.
Result: SAM logs the sale and fires the stock webhook at 11:43:02am. The plugin marks the painting out-of-stock on the storefront. An online customer who lands on the product page at 11:43:05am sees "Sold" and no Buy button. No double-sale.
Scenario: SAM's API has a 60-second outage during the weekly sync.
Result: The scheduled sync fails gracefully; webhook events queue and replay when SAM returns. The next scheduled run reconciles anything that drifted. No manual intervention.
Scenario: A staff member adjusts stock manually in SAM (e.g. found a piece in storage).
Result: SAM fires the same webhook on manual adjustments as on sales. The storefront updates instantly to show the piece back in stock.
Some older SAM tenants haven't been migrated to V3 webhooks yet. In that case the plugin falls back to scheduled stock sync only — same correctness, just a longer worst-case lag. We can help organise the webhook activation with SAM head office.
HMAC-SHA256 signature on every request, verified against a shared secret you set in Settings. The secret is stored encrypted at rest (AES-256-GCM). The signature header is checked with a constant-time comparison so timing attacks can't probe for the secret.
SAM aims for < 5 seconds between the change in SAM and the webhook landing at the plugin endpoint. The plugin acknowledges with HTTP 200 within ~50ms of receipt; the catalogue update is visible to shoppers immediately on the same request.
Yes. The webhook endpoint is a standard HTTP POST route. WP Engine's CloudFront and Vercel's edge network both pass it through unchanged. SAM's outbound CloudFront IPs are documented and can be allowlisted at the WAF layer if needed.
Returns HTTP 401. The payload is not parsed. The event is logged (without the payload contents) so admins can spot misconfigured secrets. SAM retries with exponential backoff so transient mismatches recover automatically.
Want a 15-minute screenshare against your actual SAM data? Send us a quick note or call — we’ll line up a walkthrough at a time that suits.
