How outgoing webhooks work

InstaChime sends a `lead.created` payload whenever a new operational lead is captured. Use this to connect CRMs, spreadsheets, no-code automation tools, or your own middleware.

When you configure a signing secret, InstaChime signs the raw request body with `x-instachime-signature` so your receiver can verify that the request came from your workspace.

Configure a destination

  • Open `/integrations` as an owner or admin.
  • Create a CRM webhook with an HTTPS URL.
  • Add a signing secret if the receiver can verify HMAC signatures.
  • Send a sample delivery and confirm the destination receives `webhook.test`.
  • Capture a sample lead and confirm the destination receives `lead.created`.
  • Review the delivery history for status, HTTP code, response body, and retry attempts.

Payload example

{
  "event": "lead.created",
  "lead": {
    "id": "lead_uuid",
    "customer_name": "Jamie Lee",
    "email": "jamie@example.com",
    "phone": "+15555550123",
    "source_platform": "google_ads",
    "campaign": "Emergency demo campaign",
    "message": "Need pricing today",
    "lead_score": 82,
    "sentiment": "urgent",
    "company_domain": "example.com"
  }
}

Verify signatures

import crypto from "node:crypto";

function validSignature(rawBody, secret, received) {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex");
  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(received));
}

Exact InstaChime destination setup

  • Sign in as an owner or admin.
  • Open `/integrations`.
  • Find the CRM outgoing webhook section.
  • Create a new destination and give it a clear name such as `HubSpot production` or `Zapier sheet export`.
  • Paste the HTTPS receiver URL from the CRM bridge, Zapier, Make, or custom middleware.
  • Add a signing secret if the receiver can verify HMAC signatures.
  • Save the destination.
  • Click the sample/test action and confirm the receiver logs `webhook.test`.
  • Submit a real sample lead and confirm the receiver logs `lead.created`.

Receiver requirements

  • Accept HTTPS POST requests.
  • Read JSON request bodies.
  • Return a 2xx status only after the destination has accepted or queued the event.
  • Return a clear 4xx status for permanent mapping/configuration failures.
  • Return a 5xx status for temporary failures that InstaChime should retry.
  • Log the InstaChime lead ID and event name in the destination system.

Signature verification steps

  • Store the signing secret in the receiver environment.
  • Read the raw request body before parsing JSON.
  • Compute HMAC-SHA256 of the raw body using the signing secret.
  • Compare the computed digest to `x-instachime-signature` using a timing-safe comparison.
  • Reject requests with missing or mismatched signatures.
  • Do not verify against a re-serialized JSON body; whitespace changes will alter the signature.

Destination troubleshooting

  • HTTP 401 or 403 usually means the receiver token or signature verification failed.
  • HTTP 404 usually means the destination URL was copied incorrectly or the Zap/scenario was deleted.
  • HTTP 422 usually means the destination received the request but rejected field mapping.
  • HTTP 429 means the destination is rate limiting; reduce burst size or add a queue in the bridge.
  • Repeated 5xx responses should be investigated in the receiver logs before increasing retry counts.