Skip to main content

What are webhooks?

Instead of polling the REST API on a cron, register a webhook endpoint and EquateIt will POST a signed event to your URL the moment something changes — a session completes, a payment lands, an invoice is paid, a lead arrives. Pipe those events straight into your CRM, Zapier/Make, Slack, or a data warehouse. Each event body is byte-identical to the matching /v1 resource, so you already know its shape.

Create an endpoint

In Settings → Developers → Webhooks (org admins only):
  1. Click Add endpoint and enter your HTTPS URL.
  2. Tick the events you want to receive.
  3. Copy the signing secret — it is shown once. Store it now; you can’t retrieve it again (you can rotate it later).
Your URL must use https:// on port 443. URLs that resolve to private, loopback, or link-local addresses are rejected (SSRF protection), both when you create the endpoint and again at delivery time. Use Send test event to fire a synthetic webhook.ping and confirm your signature-verification wiring before relying on real events.

Event catalog

Subscribe to * to receive all current and future event types.

Payload shape

Every delivery is a JSON envelope. The data block is exactly the /v1 resource shape (e.g. session.* → the Session object).

Headers

Verify the signature

We compute HMAC-SHA256(secret, "{t}.{raw_body}") — over the timestamp and the raw body, so a captured body can’t be replayed with a different timestamp. Recompute it with your secret, compare in constant time, and reject anything older than 5 minutes.
Respond with any 2xx status to acknowledge receipt. Anything else (or a timeout) is treated as a failure and retried.

Idempotency & ordering

Delivery is at-least-once and may arrive out of order. Dedupe on EquateIt-Event-Id — it is stable across automatic retries and manual redeliveries of the same event.

Retries

Failed deliveries retry with exponential backoff (30s, 60s, 2m, 4m … capped at 6 hours) for up to 10 attempts. After that the delivery is dead-lettered, and an endpoint that fails repeatedly is auto-disabled (the org owner is notified). You can manually Redeliver any failed or dead delivery from the delivery log, re-enable a disabled endpoint, or rotate the signing secret at any time.

Security notes

  • We only POST to verified https:// URLs and never follow redirects.
  • The signing secret is stored encrypted and is never shown after creation — rotate it if you suspect it leaked.
  • Lead events include the lead’s email and a safe subset of submitted fields; analytics fields (ip_address, user_agent) are never sent.