Skip to content

Webhooks API

Webhooks and trusted-service seams cross org boundaries or come from external providers, so they do not carry a user JWT and do not use X-Org-Id. They authenticate with a shared secret (X-Iron-CRM-Secret), a provider signature, or a per-installation token, and resolve the org internally. All paths are under /api/v1.

Method Path Description
POST /webhooks/funnel-lead A new lead from a funnel. Creates the contact and (if the setter is enabled) enqueues a first-touch draft.
POST /webhooks/inbound-sms Inbound SMS (from the telephony engine).
POST /webhooks/inbound-email Inbound email (from the Instantly cold-email engine). Token-authed; never 500s — failures park in a dead-letter table.
POST /webhooks/bridge-call A call event from the telephony bridge.
POST /webhooks/calcom Cal.com booking webhook → appointment activities.
POST /billing/webhooks/stripe Stripe webhook — billing lifecycle and connected-account rebilling events.
  • Shared secret (X-Iron-CRM-Secret) — used by the telephony engine, internal scheduling, and other trusted in-house services. The org is passed explicitly in the body.
  • Per-installation token — for example, the Instantly inbound webhook authenticates with the installation’s token.
  • Provider signature — provider webhooks (Stripe, Jobber) verify the signature of the raw request body.
Method Path Description
GET /integrations/contacts/by-identity Resolve a contact by an external identity (used by attribution / bridging).