Webhooks & Event Notifications

Configure webhooks to notify external systems in real time when events occur in your CRM.

Overview

Webhooks allow SalesOS to push real-time notifications to external systems whenever specific events occur in your CRM. Rather than polling the API for changes, webhooks deliver event data to your specified endpoint the moment something happens — a deal moves forward, a contact is created, a payment is received, or any other trackable action.

This event-driven architecture enables powerful automations, keeps connected systems synchronized, and eliminates the latency and overhead of periodic data pulls.

Supported Events

SalesOS supports webhooks for a comprehensive set of CRM events organized by category.

Record Lifecycle Events

Event	Trigger
`record.created`	A new record is created (lead, contact, account, deal, etc.)
`record.updated`	Any field on an existing record is modified
`record.deleted`	A record is soft-deleted or permanently removed
`record.restored`	A previously deleted record is restored
`record.merged`	Two or more duplicate records are merged

Deal & Pipeline Events

Event	Trigger
`deal.stage_changed`	A deal moves to a different pipeline stage
`deal.won`	A deal is marked as Closed Won
`deal.lost`	A deal is marked as Closed Lost
`deal.amount_changed`	The deal value is updated
`deal.owner_changed`	Deal ownership is reassigned

Task & Activity Events

Event	Trigger
`task.completed`	A task is marked as done
`task.overdue`	A task passes its due date without completion
`activity.logged`	A call, email, or meeting is logged
`note.created`	A note is added to a record

Form & Communication Events

Event	Trigger
`form.submitted`	A web form or survey response is received
`email.opened`	A tracked email is opened by the recipient
`email.replied`	A reply is received to a tracked email
`email.bounced`	An email delivery fails

Financial Events

Event	Trigger
`payment.received`	A payment is successfully processed
`invoice.created`	A new invoice is generated
`invoice.overdue`	An invoice passes its due date
`quote.accepted`	A quote is accepted by the customer
`quote.expired`	A quote passes its expiration date

Creating a Webhook

Step 1: Navigate to Webhook Settings

Go to Settings > Integrations > Webhooks and click Create Webhook.

Step 2: Configure the Endpoint

Field	Description
Name	A descriptive label for this webhook (e.g., "Slack Deal Notifications")
Endpoint URL	The HTTPS URL where payloads will be delivered
Events	Select one or more events to subscribe to
Status	Active or Paused

Step 3: Add Event Filters

Filters narrow which events trigger the webhook. Without filters, all matching events fire.

Record type — Only trigger for specific objects (e.g., only Deals, not Leads)
Field conditions — Only fire when certain field values match (e.g., deal.amount > 10000)
Owner filter — Only trigger for records owned by specific users or teams
Pipeline filter — Only trigger for deals in a specific pipeline

Step 4: Save and Activate

Once saved, the webhook begins listening immediately. You can pause it at any time without deleting the configuration.

Payload Format

All webhook payloads are delivered as JSON via HTTP POST. The structure is consistent across all event types.

{
  "id": "evt_a1b2c3d4e5f6",
  "type": "deal.stage_changed",
  "timestamp": "2026-05-25T14:32:08.123Z",
  "version": "2026-01",
  "organization_id": "org_xyz789",
  "data": {
    "record_id": "deal_abc123",
    "record_type": "deal",
    "changes": {
      "stage": {
        "previous": "Proposal Sent",
        "current": "Negotiation"
      }
    },
    "record": {
      "id": "deal_abc123",
      "name": "Acme Corp Enterprise License",
      "amount": 85000,
      "owner_id": "usr_456",
      "stage": "Negotiation",
      "updated_at": "2026-05-25T14:32:08.000Z"
    }
  },
  "metadata": {
    "triggered_by": "usr_456",
    "source": "web_app",
    "ip_address": "203.0.113.42"
  }
}

Payload Fields

Field	Description
`id`	Unique event identifier for idempotency checks
`type`	The event type string
`timestamp`	ISO 8601 timestamp of when the event occurred
`version`	API version for the payload schema
`organization_id`	The org where the event originated
`data.record_id`	The ID of the affected record
`data.changes`	Object showing previous and current values (for update events)
`data.record`	Full snapshot of the record at the time of the event
`metadata`	Contextual information about who/what triggered the event

Authentication

SalesOS supports multiple methods to verify that incoming webhook payloads are legitimate.

HMAC Signature Verification

Every webhook delivery includes an X-SalesOS-Signature header containing an HMAC-SHA256 hash of the payload body using your webhook secret.

To verify:

Retrieve the raw request body (before JSON parsing)
Compute HMAC-SHA256 using your webhook secret as the key
Compare the computed hash with the value in X-SalesOS-Signature
Reject the request if they do not match

The signature header also includes a timestamp component (X-SalesOS-Timestamp) to prevent replay attacks. Reject any payload older than 5 minutes.

Custom Headers

Add up to 5 custom headers that SalesOS includes with every delivery. Useful for API keys or bearer tokens required by your endpoint.

Header Name	Value
`Authorization`	`Bearer your-api-key-here`
`X-Custom-Token`	`shared-secret-value`

Basic Authentication

Embed credentials directly in the endpoint URL: https://user:[email protected]/webhooks/salesos

SalesOS transmits the credentials via the standard Authorization: Basic header.

Testing Webhooks

Test Delivery

From the webhook detail page, click Send Test Event to deliver a sample payload to your endpoint. The test uses realistic dummy data matching your selected event type.

Payload Inspector

The built-in Payload Inspector shows:

The exact JSON body that will be sent
All headers (including authentication headers)
The computed HMAC signature
A cURL command to replicate the request manually

Local Development

For local development and testing, SalesOS supports temporary tunnel URLs from services like ngrok or Cloudflare Tunnel. Configure your local tunnel URL as the endpoint during development, then switch to production URLs before going live.

Retry Logic

If your endpoint does not return a 2xx status code, SalesOS retries delivery using exponential backoff.

Attempt	Delay After Failure
1st retry	30 seconds
2nd retry	2 minutes
3rd retry	10 minutes
4th retry	1 hour
5th retry	4 hours
6th retry	12 hours
7th retry (final)	24 hours

After 7 failed attempts, the event is marked as permanently failed and no further retries are attempted.

Automatic Disabling

If a webhook endpoint fails to respond successfully for 72 consecutive hours, SalesOS automatically pauses the webhook and sends an email notification to the organization admin. Re-enable it manually once the endpoint issue is resolved.

Webhook Logs

The Delivery History tab on each webhook provides full visibility into every delivery attempt.

Log Entry Details

Event ID — Unique identifier for the event
Event Type — The event that triggered delivery
Timestamp — When the delivery attempt occurred
Status Code — HTTP response code from your endpoint
Response Time — How long your endpoint took to respond
Response Body — First 1KB of the response (for debugging)
Retry Count — Number of delivery attempts

Filtering Logs

Filter delivery history by:

Status (Success, Failed, Pending Retry)
Event type
Date range
Response code

Logs are retained for 30 days. Export them as CSV for longer-term analysis.

Pause or resume in bulk
Delete multiple webhooks
Export configurations as JSON (for backup or migration)

Rate Limits

Limit	Value
Maximum webhooks per organization	50
Maximum events per webhook	25
Delivery rate	1,000 events per minute per endpoint
Payload size	256 KB maximum
Endpoint response timeout	30 seconds
Concurrent deliveries	10 per webhook

If your endpoint receives events faster than it can process them, implement a queue on your side to buffer incoming payloads.

Common Integrations

Zapier

Use SalesOS webhooks as a trigger in Zapier Zaps:

Create a Zap with "Webhooks by Zapier" as the trigger (Catch Hook)
Copy the Zapier webhook URL
Create a SalesOS webhook pointing to that URL
Map the payload fields in your Zap's subsequent steps

Make (formerly Integromat)

Configure a "Custom Webhook" module in Make:

Add a Custom Webhook module to your scenario
Copy the generated URL
Create a SalesOS webhook with that URL
Run a test delivery to establish the data structure in Make

Slack Notifications

Send CRM events directly to Slack channels:

Create a Slack Incoming Webhook URL for your target channel
Create a middleware function (or use Zapier/Make) to transform the SalesOS payload into Slack Block Kit format
Route transformed payloads to the Slack webhook URL

Custom Applications

For custom integrations, your endpoint should:

Accept POST requests with Content-Type: application/json
Validate the HMAC signature before processing
Return a 200 status code within 30 seconds
Process the event asynchronously if handling takes longer

Security Considerations

Endpoint Security

Always use HTTPS endpoints — SalesOS rejects plain HTTP URLs
Validate HMAC signatures on every incoming request
Implement timestamp validation to prevent replay attacks
Restrict inbound traffic to SalesOS IP ranges (published in your account settings)

Data Sensitivity

Webhook payloads may contain sensitive customer data
Ensure your receiving endpoint has appropriate access controls
Consider filtering which fields are included in payloads (use field inclusion lists)
Audit who has access to webhook configuration in your organization

Secret Rotation

Rotate your webhook signing secret periodically:

Generate a new secret in webhook settings
During the grace period (24 hours), both old and new secrets are valid
Update your verification logic to use the new secret
After the grace period, only the new secret works

Best Practices

Use HMAC verification — Always validate webhook signatures to ensure payloads originate from SalesOS and have not been tampered with.
Respond quickly — Return a 200 response immediately, then process the event asynchronously. Long-running processing should happen in a background job.
Implement idempotency — Use the event id field to detect and ignore duplicate deliveries. Network issues can cause the same event to be delivered more than once.
Monitor delivery health — Regularly check webhook logs for elevated failure rates. Set up alerts for repeated failures.
Use event filters — Subscribe only to the events and record types you need. Overly broad subscriptions waste bandwidth and processing resources.
Handle schema evolution — Parse payloads tolerantly. New fields may be added to payloads without a version change. Never fail on unknown fields.
Keep endpoints available — Ensure your webhook endpoint has high uptime. Use redundant infrastructure or a message queue as a buffer.
Log incoming payloads — Store raw payloads before processing them. This aids debugging when integration issues arise.
Test before going live — Use the test delivery feature and payload inspector to validate your endpoint handles the format correctly before activating in production.
Document your webhooks — Maintain a registry of active webhooks, their purposes, and the team responsible for each receiving endpoint.

Webhooks & Event Notifications

On this page