Skip to content

Webhooks

Organizations can register outgoing webhooks so your systems hear about lead activity as it happens. Webhooks are configured by an organization admin in the Lynqu dashboard (Integrations), with a target URL, a signing secret, and the events to subscribe to.

Event Fires when
lead.created A new lead lands in the organization
lead.stage_changed A lead moves pipeline stage
lead.merged Two duplicate leads are merged
automation.rule_fired A workflow-automation rule executes

Each delivery is an HTTPS POST with a JSON body:

{
"event": "lead.stage_changed",
"data": { }
}

and these headers:

Header Value
Content-Type application/json
X-Webhook-Event The event name
X-Webhook-Signature HMAC-SHA256 of the raw JSON body, keyed with your signing secret

Respond with any 2xx within a few seconds. Failed deliveries are retried with backoff.

Always verify before trusting a payload. Compute HMAC-SHA256 over the raw request body with your secret and compare constant-time:

import { createHmac, timingSafeEqual } from "node:crypto";
function isValid(rawBody, signatureHeader, secret) {
const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
return timingSafeEqual(Buffer.from(expected), Buffer.from(signatureHeader));
}
import hashlib, hmac
def is_valid(raw_body: bytes, signature_header: str, secret: str) -> bool:
expected = hmac.new(secret.encode(), raw_body, hashlib.sha256).hexdigest()
return hmac.compare_digest(expected, signature_header)

Reject anything that doesn’t verify. Treat webhook payloads as notifications — when in doubt, re-fetch the resource from the REST API using the ids in the payload.