Home / Features / Webhooks
Webhooks

Connect lead capture to the rest of your business stack.

Sync lead events to CRM tools, spreadsheet backups, custom APIs, or communications channels with signed webhooks.

Signed deliveriesAutomatic retriesCustom payload mapping
View payload Verify signatures
Webhook delivery

Push lead events into the tools your team already uses

Every important lead event can be sent as structured JSON so your CRM, spreadsheet, backend, notification tool, or internal workflow can react immediately.

CRM and backend sync

Send captured leads into your CRM, custom backend, sales tools, or enrichment pipeline without manual exports.

Notification channels

Mirror lead events into Slack, Discord, Telegram bridges, email tools, or internal alerting systems.

Analytics and backups

Push lead events into spreadsheets, warehouses, dashboards, or reporting systems for backup and analysis.

Signed sync for every lead event.

LeadsBot dispatches signed JSON payloads when lead activity happens. Your receiving system can verify the signature, process the payload, and reject anything that fails integrity checks.

  • HMAC-SHA256 signatures on webhook deliveries.
  • Structured JSON events for lead creation, status changes, replies, and workflow activity.
  • Retry-friendly delivery behavior for temporary receiver failures.
  • Custom payload mapping for teams that need specific downstream fields.
POST https://example.com/webhooks/leadsbot
JSON 
{
  "event": "lead.created",
  "data": {
    "name": "Jane Smith",
    "email": "jane@example.com",
    "score": 88,
    "source": "website-widget"
  }
}

Verify every webhook before your system trusts it.

Webhook security is built around HMAC signing. Your receiver should compute the expected signature from the raw request body and compare it with the X-LeadsBot-Signature header before processing.

  • Use the raw request body for signature verification.
  • Compare signatures using a timing-safe comparison.
  • Return a non-2xx response when verification fails.
  • Rotate webhook secrets when credentials may be exposed.
verify-webhook.ts
import crypto from 'crypto';

function verifyWebhook(rawBody, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}
Event lifecycle

From lead capture to downstream action

Use webhooks when external systems need to react to lead events without waiting for exports or manual updates.

01

Lead captured

A widget, landing page, QR source, listener form, or API endpoint creates a lead.

02

Event generated

LeadsBot creates a structured event with lead details, source context, and workflow metadata.

03

Payload signed

The raw payload is signed with your webhook secret before delivery.

04

Receiver acts

Your system verifies the signature, stores the event, and triggers the next operation.

Production checklist

Before connecting production webhooks

A webhook should be treated like a production integration point, not just a notification URL.

01

Use HTTPS

Only receive webhook traffic on HTTPS endpoints with a valid certificate.

02

Verify signatures

Reject requests that fail HMAC verification before any side effect happens.

03

Return fast responses

Acknowledge valid events quickly, then process heavier work in a queue when possible.

04

Handle duplicates

Store delivery IDs or event IDs so retries do not create duplicate downstream actions.

Connect LeadsBot to the rest of your response stack.

Use signed webhooks to move captured leads into the systems your business already depends on.

View developer API Start free