Webhooks
Organizations can register outgoing webhooks so your systems hear about lead activity as it happens. Webhooks are configured by an organization admin in the Lynqu dashboard (Integrations), with a target URL, a signing secret, and the events to subscribe to.
Events
Section titled “Events”| Event | Fires when |
|---|---|
lead.created |
A new lead lands in the organization |
lead.stage_changed |
A lead moves pipeline stage |
lead.merged |
Two duplicate leads are merged |
automation.rule_fired |
A workflow-automation rule executes |
Delivery
Section titled “Delivery”Each delivery is an HTTPS POST with a JSON body:
{ "event": "lead.stage_changed", "data": { }}and these headers:
| Header | Value |
|---|---|
Content-Type |
application/json |
X-Webhook-Event |
The event name |
X-Webhook-Signature |
HMAC-SHA256 of the raw JSON body, keyed with your signing secret |
Respond with any 2xx within a few seconds. Failed deliveries are retried
with backoff.
Verify the signature
Section titled “Verify the signature”Always verify before trusting a payload. Compute HMAC-SHA256 over the raw request body with your secret and compare constant-time:
import { createHmac, timingSafeEqual } from "node:crypto";
function isValid(rawBody, signatureHeader, secret) { const expected = createHmac("sha256", secret).update(rawBody).digest("hex"); return timingSafeEqual(Buffer.from(expected), Buffer.from(signatureHeader));}import hashlib, hmac
def is_valid(raw_body: bytes, signature_header: str, secret: str) -> bool: expected = hmac.new(secret.encode(), raw_body, hashlib.sha256).hexdigest() return hmac.compare_digest(expected, signature_header)Reject anything that doesn’t verify. Treat webhook payloads as notifications — when in doubt, re-fetch the resource from the REST API using the ids in the payload.