space ocr
ArticlesDocs
developer

Building an AP Automation Pipeline with an OCR API and Webhooks

Learn how to build a reliable accounts payable automation pipeline. Use an async OCR API to upload invoices and receive structured data via secure webhooks.

7 min read· 2026-06-29

Processing invoices is a classic bottleneck. Manual data entry is slow and error-prone. Even with an OCR API, building a system that polls for job completion is inefficient. It adds complexity, latency, and unnecessary traffic to your system. A truly automated accounts payable workflow shouldn't involve waiting and asking "are we there yet?" It should be event-driven, responding instantly when data is ready.

An invoice flowing through AP automation
Invoices in, structured rows + a webhook out.

This is the core principle behind space-ocr's asynchronous processing. Instead of making a request and holding the connection open, you can upload a batch of invoices and immediately get back to work. The API returns a list of job identifiers, confirming the files were received. Our engine then processes each image. When an invoice is successfully read, a notification is sent directly to your application's endpoint. This is done using a webhook—a simple, reliable HTTP POST request containing the structured data.

The flow is straightforward: you make one POST /upload call with your invoice images. In response, you get an array of pending jobs. Later, your server receives an ocr.completed event via webhook. The payload of that event contains the full extraction result, from the supplier name, like "弥生サンブル", down to each line item with its associated coordinates on the page. For reliability, every upload can include an Idempotency-Key header. If you need to retry a network request, sending the same key guarantees you won't create a duplicate processing job.

webhook-receiver.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
const express = require('express');
const crypto = require('crypto');

// Middleware to get the raw body for signature verification
const rawBodySaver = (req, res, buf, encoding) => {
  if (buf && buf.length) {
    req.rawBody = buf.toString(encoding || 'utf8');
  }
};

const app = express({ verify: rawBodySaver });
const webhookSecret = process.env.SPACE_OCR_WEBHOOK_SECRET;

app.post('/webhook', (req, res) => {
  const signature = req.get('X-Spaceocr-Signature');
  if (!signature) {
    return res.status(400).send('Missing signature');
  }

  const hmac = crypto.createHmac('sha256', webhookSecret);
  const digest = Buffer.from(hmac.update(req.rawBody).digest('hex'), 'hex');
  const receivedSignature = Buffer.from(signature, 'hex');

  if (!crypto.timingSafeEqual(digest, receivedSignature)) {
    return res.status(400).send('Invalid signature');
  }

  // Signature is valid, now process the event
  const event = JSON.parse(req.rawBody);

  switch (event.event) {
    case 'ocr.completed':
      const { result } = event.data;
      console.log(`OCR successful for ${result.name}:`, result.values);
      // TODO: Add structured data to your accounting system
      break;
    case 'ocr.failed':
      const { error } = event.data;
      console.error(`OCR failed for ${event.data.name}:`, error.message);
      break;
    case 'webhook.test':
      console.log('Webhook test successful!');
      break;
    default:
      console.log(`Unhandled event type: ${event.event}`);
  }

  res.status(200).send({ received: true });
});

app.listen(3000, () => console.log('Webhook receiver listening on port 3000'));
✓ Verified

How does space-ocr locate data on the page? The underlying language model returns extracted text along with token hints pointing to their likely location. Our engine then performs a crucial verification step: it matches the extracted value, character-by-character, against the actual OCR symbols detected on the page. This process generates a match_ratio score from 0.0 to 1.0. A score of 0.85 or higher indicates a confident match. The final coordinates are returned as a 0-1000 normalized bounding box, independent of the original image's pixel dimensions.

Building this kind of automation should be accessible. The pricing is a flat $0.05 ($0.05 USD) per image processed through the API. Every account gets 100 free scans each month. Importantly, if an OCR job fails because an image is unreadable, you are not charged. The cost is tied directly to successful data extraction, making it a low-risk way to start automating your payables.

  1. Expose a Public Endpoint
    Your server needs a public URL. Use a service like ngrok for local development to expose your local server to the internet.
  2. Register Your Webhook URL
    In the space-ocr dashboard settings, add your public endpoint URL. Securely copy the generated webhook secret.
  3. Implement Signature Verification
    Use the provided code sample to verify the `X-Spaceocr-Signature` header on every incoming request to ensure it's authentic.
  4. Handle the 'ocr.completed' Event
    When a valid event arrives, parse the `data.result` object and pass the structured invoice data to your accounting system or database.
  5. Upload an Invoice Asynchronously
    Make a `POST /upload` request with your files. The API will immediately return job details without waiting for OCR to finish.
  6. Acknowledge Events and Monitor
    Your endpoint should return a 2xx status code quickly to acknowledge receipt. Monitor delivery logs in the dashboard for any issues.
What happens if my webhook endpoint is down?
space-ocr will automatically retry delivery with exponential backoff for up to 6 hours. We retry on 5xx server errors, 408, 429, or timeouts. Delivery logs are kept for 30 days.
How do I verify that a webhook request is actually from space-ocr?
Every webhook includes an `X-Spaceocr-Signature` header. It contains an HMAC-SHA256 signature of the request body, signed with your unique secret. You must verify this signature on your server.
Can I upload multiple invoices in one API call?
Yes, the `POST /upload` endpoint accepts multipart/form-data and you can include multiple `files` fields in a single request. It will return an array of jobs, one for each file.
Is there a charge for failed OCR jobs?
No. If an OCR job fails, we trigger an `ocr.failed` event and automatically refund the scan cost. You only pay for successful extractions.
What's the difference between polling and using webhooks?
Polling requires you to repeatedly call `GET /jobs/{jobId}` to check for completion. Webhooks are event-driven; our server pushes the result to your endpoint the moment it's ready, which is more efficient and provides real-time updates.
How can I safely retry uploads from my application?
The `/upload` endpoint supports the `Idempotency-Key` header. If you send the same key within 24 hours, you'll receive the original cached response instead of creating a duplicate job, preventing double-processing.

Start Automating Your AP Workflow

Get your API key and start building with 100 free scans every month.

Get Started for FreeRead the API Docs
Related
API for Extracting Data From Invoices: A Developer Guide
Document OCR with an Audit Trail: Verify Every Extracted Value