Webhooks
1 min read
Event types, payload format, and HMAC verification for outbound webhooks.
Overview
Made For Law can send webhook notifications to your server when events occur. Webhooks are delivered via Zapier — see the Integrations section for setup.
For custom webhook endpoints (without Zapier), you can use Zapier's Webhooks by Zapier action to forward data to any URL.
Event Types
| Event | Description | Payload Includes |
|---|---|---|
lead.captured |
New lead submitted | Lead details, estimate data |
estimate.completed |
Calculation finished | Estimate results |
Payload Format
All webhook payloads follow this structure:
json
{
"event": "lead.captured",
"timestamp": "2024-03-15T14: 30: 00Z",
"data": {
"lead_name": "Jane Smith",
"lead_email": "[email protected]",
"lead_phone": "555-0123",
"estate_value": 500000,
"state": "CA",
"total_fees": 23000,
"estimate_id": "est_xxxxxxxxxxxx",
"source_url": "https://www.yourfirm.com/probate"
}
}HMAC Verification
For direct webhook integrations (non-Zapier), outbound webhooks include HMAC signatures for verification:
| Header | Description |
|---|---|
x-signature |
HMAC-SHA256 signature of the request body |
x-timestamp |
Unix timestamp of the request |
Verifying the Signature
javascript
"hl-kw">const crypto = require('crypto');
"hl-kw">function verifyWebhook(body, signature, timestamp, secret) {
"hl-kw">const payload = `${timestamp}.${body}`;
"hl-kw">const expected = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
"hl-kw">return crypto.timingSafeEqual(
Buffer."hl-kw">from(signature),
Buffer."hl-kw">from(expected)
);
}⚠️
Always verify the x-timestamp is within 5 minutes of the current time to prevent replay attacks.
Was this page helpful?