What are webhooks?
Instead of polling the REST API on a cron, register a webhook endpoint and EquateIt will POST a signed event to your URL the moment something changes — a session completes, a payment lands, an invoice is paid, a lead arrives. Pipe those events straight into your CRM, Zapier/Make, Slack, or a data warehouse. Each event body is byte-identical to the matching/v1 resource, so you already
know its shape.
Create an endpoint
In Settings → Developers → Webhooks (org admins only):- Click Add endpoint and enter your HTTPS URL.
- Tick the events you want to receive.
- Copy the signing secret — it is shown once. Store it now; you can’t retrieve it again (you can rotate it later).
https:// on port 443. URLs that resolve to private,
loopback, or link-local addresses are rejected (SSRF protection), both when you
create the endpoint and again at delivery time.
Use Send test event to fire a synthetic webhook.ping and confirm your
signature-verification wiring before relying on real events.
Event catalog
Subscribe to
* to receive all current and future event types.
Payload shape
Every delivery is a JSON envelope. Thedata block is exactly the /v1
resource shape (e.g. session.* → the Session object).
Headers
Verify the signature
We computeHMAC-SHA256(secret, "{t}.{raw_body}") — over the timestamp and
the raw body, so a captured body can’t be replayed with a different timestamp.
Recompute it with your secret, compare in constant time, and reject anything
older than 5 minutes.
2xx status to acknowledge receipt. Anything else (or a
timeout) is treated as a failure and retried.
Idempotency & ordering
Delivery is at-least-once and may arrive out of order. Dedupe onEquateIt-Event-Id — it is stable across automatic retries and manual
redeliveries of the same event.
Retries
Failed deliveries retry with exponential backoff (30s, 60s, 2m, 4m … capped at 6 hours) for up to 10 attempts. After that the delivery is dead-lettered, and an endpoint that fails repeatedly is auto-disabled (the org owner is notified). You can manually Redeliver any failed or dead delivery from the delivery log, re-enable a disabled endpoint, or rotate the signing secret at any time.Security notes
- We only POST to verified
https://URLs and never follow redirects. - The signing secret is stored encrypted and is never shown after creation — rotate it if you suspect it leaked.
- Lead events include the lead’s email and a safe subset of submitted fields;
analytics fields (
ip_address,user_agent) are never sent.