Available event types
Webhook endpoints can subscribe to message.received, message.sent, contact.created, contact.updated, escalation.created, and escalation.resolved.
Each delivery includes X-LeadCeleris-Event, X-LeadCeleris-Delivery-Id, and X-LeadCeleris-Signature headers.
Verify the signature
Read the raw request body before JSON parsing. The signature header uses t=<unix timestamp>,v1=<hex digest>. Compute HMAC-SHA256 over timestamp + '.' + rawBody with the webhook signing secret and compare the digest in constant time.
Reject invalid signatures and timestamps outside your accepted replay window before running any business logic.
Handle deliveries safely
Return a successful HTTP response quickly, then process the event asynchronously. Use the delivery ID for idempotency so retries cannot create duplicate actions.
- Log the event type and delivery ID, not secrets
- Make handlers safe to run more than once
- Test endpoint behavior from the Developers page before enabling production workflows
