Navigation
Made For Law/Docs

Webhooks

1 min read

Event types, payload format, and HMAC verification for outbound webhooks.

Overview

Made For Law sends lead notifications to configured webhook endpoints. For Zapier, use Webhooks by Zapier -> Catch Hook and paste the Catch Hook URL into Made For Law. For custom webhook endpoints, provide an HTTPS endpoint that accepts JSON POST requests and returns a 2xx response on success.

See the Integrations section for Zapier setup.

Event types

Event Description Payload includes
lead.created New calculator lead created Lead details, estimate data, source metadata

Payload format

A standard lead payload follows this shape:

json
{
  "event": "lead.created",
  "event_type": "lead.created",
  "tenant": {
    "id": "tenant_xxxxxxxxxxxx",
    "name": "Example Law Firm"
  },
  "lead": {
    "id": "lead_xxxxxxxxxxxx",
    "created_at": "2026-05-21T14: 30: 00Z",
    "first_name": "Jane",
    "last_name": "Smith",
    "name": "Jane Smith",
    "email": "[email protected]",
    "phone": "555-0123",
    "state": "CA",
    "calculator": "probate"
  },
  "estimate": {
    "id": "est_xxxxxxxxxxxx",
    "total": 23000,
    "currency": "USD",
    "pdf": "https://example.com/sample.pdf"
  },
  "source": {
    "page_url": "https://www.yourfirm.com/probate",
    "utm_source": "google"
  },
  "pdf": {
    "url": "https://example.com/sample.pdf"
  }
}

HMAC verification

For direct webhook integrations, outbound webhooks may include HMAC signatures for verification:

Header Description
x-signature HMAC-SHA256 signature of the request body
x-timestamp Unix timestamp of the request

Verifying the signature

javascript
"hl-kw">const crypto = require("crypto");

"hl-kw">function verifyWebhook(body, signature, timestamp, secret) {
  "hl-kw">const payload = `${timestamp}.${body}`;
  "hl-kw">const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");

  "hl-kw">return crypto.timingSafeEqual(
    Buffer."hl-kw">from(signature),
    Buffer."hl-kw">from(expected)
  );
}
⚠️

Always verify the x-timestamp is within 5 minutes of the current time to prevent replay attacks.

Was this page helpful?