Guides
Webhooks
Turn CurateOne events into pushes to your own systems — signed, so you can trust every delivery.
Setting up
- In the app, open Settings → Automations and create a rule.
- Pick a trigger —
lead.created,lead.status_changed,form.submitted, orsite.published. - Choose the Send webhook action and paste your HTTPS endpoint URL.
Deliveries are JSON POSTs. Every run is recorded in the automation's log, so failed deliveries are visible in the app.
Verifying signatures
Each delivery carries an x-curateone-signature header: an HMAC-SHA256 of the raw request body, hex-encoded and prefixed with sha256=, keyed with your webhook's signing secret. Verify before trusting the payload:
import { createHmac, timingSafeEqual } from "node:crypto";
export function verifyCurateOneWebhook(rawBody, signatureHeader, secret) {
const expected = "sha256=" + createHmac("sha256", secret).update(rawBody).digest("hex");
const a = Buffer.from(expected);
const b = Buffer.from(signatureHeader || "");
return a.length === b.length && timingSafeEqual(a, b);
}Compute the HMAC over the raw request bytes — parse the JSON only after the signature checks out. Reject unsigned or mismatched deliveries with a 401.
Delivery expectations
- Respond with a 2xx within a few seconds; do heavy work asynchronously.
- Deliveries are at-least-once — deduplicate on the payload's ids if double-processing would hurt.
- Webhooks push events; the REST API is the source of truth to re-sync from after downtime.