How outgoing webhooks work
InstaChime sends a `lead.created` payload whenever a new operational lead is captured. Use this to connect CRMs, spreadsheets, no-code automation tools, or your own middleware.
When you configure a signing secret, InstaChime signs the raw request body with `x-instachime-signature` so your receiver can verify that the request came from your workspace.
Configure a destination
- Open `/integrations` as an owner or admin.
- Create a CRM webhook with an HTTPS URL.
- Add a signing secret if the receiver can verify HMAC signatures.
- Send a sample delivery and confirm the destination receives `webhook.test`.
- Capture a sample lead and confirm the destination receives `lead.created`.
- Review the delivery history for status, HTTP code, response body, and retry attempts.
Payload example
{
"event": "lead.created",
"lead": {
"id": "lead_uuid",
"customer_name": "Jamie Lee",
"email": "jamie@example.com",
"phone": "+15555550123",
"source_platform": "google_ads",
"campaign": "Emergency demo campaign",
"message": "Need pricing today",
"lead_score": 82,
"sentiment": "urgent",
"company_domain": "example.com"
}
}Verify signatures
import crypto from "node:crypto";
function validSignature(rawBody, secret, received) {
const expected = crypto
.createHmac("sha256", secret)
.update(rawBody)
.digest("hex");
return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(received));
}Exact InstaChime destination setup
- Sign in as an owner or admin.
- Open `/integrations`.
- Find the CRM outgoing webhook section.
- Create a new destination and give it a clear name such as `HubSpot production` or `Zapier sheet export`.
- Paste the HTTPS receiver URL from the CRM bridge, Zapier, Make, or custom middleware.
- Add a signing secret if the receiver can verify HMAC signatures.
- Save the destination.
- Click the sample/test action and confirm the receiver logs `webhook.test`.
- Submit a real sample lead and confirm the receiver logs `lead.created`.
Receiver requirements
- Accept HTTPS POST requests.
- Read JSON request bodies.
- Return a 2xx status only after the destination has accepted or queued the event.
- Return a clear 4xx status for permanent mapping/configuration failures.
- Return a 5xx status for temporary failures that InstaChime should retry.
- Log the InstaChime lead ID and event name in the destination system.
Signature verification steps
- Store the signing secret in the receiver environment.
- Read the raw request body before parsing JSON.
- Compute HMAC-SHA256 of the raw body using the signing secret.
- Compare the computed digest to `x-instachime-signature` using a timing-safe comparison.
- Reject requests with missing or mismatched signatures.
- Do not verify against a re-serialized JSON body; whitespace changes will alter the signature.
Destination troubleshooting
- HTTP 401 or 403 usually means the receiver token or signature verification failed.
- HTTP 404 usually means the destination URL was copied incorrectly or the Zap/scenario was deleted.
- HTTP 422 usually means the destination received the request but rejected field mapping.
- HTTP 429 means the destination is rate limiting; reduce burst size or add a queue in the bridge.
- Repeated 5xx responses should be investigated in the receiver logs before increasing retry counts.