Quickstart

From zero to first webhook in five minutes.

You'll need an onpack account with at least one brand. All API calls use HTTPS and return JSON. Everything else you can copy off this page.

1. Grab an API token

Sign in, open your brand dashboard, and go to Settings → Developers → API. Click Generate Token. Copy the pkd_… string immediately — onpack only stores a hash, so the full value is shown exactly once.

The token is account-level — it reaches every brand your company owns. Store it in a secrets manager, never in source control.

2. List your brands

Confirm the token works by hitting the brand index:

curl

curl https://onpack.io/api/v1/brands \
  -H "Authorization: Bearer pkd_••••••••••••••••"

Ruby

require "net/http"
require "json"

uri = URI("https://onpack.io/api/v1/brands")
req = Net::HTTP::Get.new(uri, "Authorization" => "Bearer #{ENV['ONPACK_API_TOKEN']}")
res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |h| h.request(req) }

JSON.parse(res.body)

Node

const res = await fetch("https://onpack.io/api/v1/brands", {
  headers: { Authorization: `Bearer ${process.env.ONPACK_API_TOKEN}` }
});
const brands = await res.json();

3. Receive your first webhook

In the dashboard, open Settings → Developers → Webhooks and add an endpoint URL you control (use a service like webhook.site while testing). Leave the default event subscriptions on. Click Send Test to confirm your endpoint receives the signed payload.

Then scan a production QR on your live packaging (or ask a teammate to). Within seconds you'll see a scan.processed delivery arrive at your endpoint. It carries the full outcome: the scan, the collector (if signed in), and the promotion evaluated.

4. Verify the signature

Every webhook carries an X-Onpack-Signature header. See Webhooks → Verification for code in your language.

5. Go deeper

Common next steps:

Pull the collector list for a brand via GET /collectors
Query a single scan's outcome via GET /scans/:id
Browse the full event catalog