Webhooks and trusted-service seams cross org boundaries or come from external providers, so they
do not carry a user JWT and do not use X-Org-Id. They authenticate with a shared secret
(X-Iron-CRM-Secret), a provider signature, or a per-installation token, and resolve the org
internally. All paths are under /api/v1.
| Method |
Path |
Description |
POST |
/webhooks/funnel-lead |
A new lead from a funnel. Creates the contact and (if the setter is enabled) enqueues a first-touch draft. |
POST |
/webhooks/inbound-sms |
Inbound SMS (from the telephony engine). |
POST |
/webhooks/inbound-email |
Inbound email (from the Instantly cold-email engine). Token-authed; never 500s — failures park in a dead-letter table. |
POST |
/webhooks/bridge-call |
A call event from the telephony bridge. |
POST |
/webhooks/calcom |
Cal.com booking webhook → appointment activities. |
POST |
/billing/webhooks/stripe |
Stripe webhook — billing lifecycle and connected-account rebilling events. |
- Shared secret (
X-Iron-CRM-Secret) — used by the telephony engine, internal scheduling,
and other trusted in-house services. The org is passed explicitly in the body.
- Per-installation token — for example, the Instantly inbound webhook authenticates with the
installation’s token.
- Provider signature — provider webhooks (Stripe, Jobber) verify the signature of the raw
request body.
| Method |
Path |
Description |
GET |
/integrations/contacts/by-identity |
Resolve a contact by an external identity (used by attribution / bridging). |