Webhook payload reference

When you register a webhook under Workspace → Webhooks, we POST
a JSON body to your URL on every matching event. Requests include
an X-FMX-Signature HMAC header so you can verify authenticity.

All events share these envelope fields:

json { "event": "lead.created", "workspaceId": 42, "timestamp": "2026-04-20T18:30:00Z", "data": { ... } }

Event catalogue:

Fires when a scrape job produces a new lead.

json { "event": "lead.created", "data": { "leadId": 1234, "businessName": "Acme Dental", "email": "hello@acmedental.com", "domain": "acmedental.com", "source": "google_maps", "jobId": 99 } }

Fires on sequence-step send + open-tracking pixel + click-redirect.

json { "event": "email.opened", "data": { "leadId": 1234, "enrollmentId": 55, "stepNumber": 2, "mailboxId": 7, "openedAt": "2026-04-20T18:45:00Z" } }

Fires when IMAP detects a new reply threaded to a campaign message.

json { "event": "email.replied", "data": { "leadId": 1234, "enrollmentId": 55, "subject": "Re: quick question", "snippet": "Thanks, send over more info…", "receivedAt": "2026-04-20T19:00:00Z" } }

Fires on every inbound WhatsApp message.

json { "event": "whatsapp.received", "data": { "phone": "971501234567", "contactName": "Abdullah", "message": "Hi, interested in your offer", "conversationId": 88, "isGroup": false, "messageType": "text" } }

Fires when an SEO audit run finishes.

json { "event": "audit.completed", "data": { "auditId": 17, "domain": "example.com", "overallScore": 78, "criticalIssues": 3, "totalIssues": 42 } }

Fires from the uptime cron when a monitored URL changes state.

json { "event": "monitor.down", "data": { "monitorId": 4, "url": "https://example.com", "httpStatus": 503, "reason": "Service Unavailable", "downAt": "2026-04-20T18:55:00Z" } }

Every request includes X-FMX-Signature: sha256=<hex> computed as
HMAC-SHA256(webhook_secret, raw_request_body). Verify before
processing.