> ## Documentation Index
> Fetch the complete documentation index at: https://docs.leavo.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Inbound Webhooks

> Configure webhooks to receive event notifications

## Create Webhook

<Card>
  <strong>POST</strong> `/backend/webhooks`
</Card>

### Body Parameters

<ParamField body="url" type="string" required>
  URL that will receive notifications
</ParamField>

<ParamField body="events" type="array" required>
  List of events to subscribe to
</ParamField>

<ParamField body="active" type="boolean" default="true">
  Whether webhook is active
</ParamField>

### Request Example

<CodeGroup>
  ```bash cURL theme={null}
  curl -X POST "https://api.leavo.ai/backend/webhooks" \
    -H "Authorization: Bearer your_api_key_here" \
    -H "Content-Type: application/json" \
    -d '{
      "url": "https://your-app.com/webhooks/leavo",
      "events": ["lead.created", "lead.status_changed", "message.received"],
      "active": true
    }'
  ```

  ```javascript JavaScript theme={null}
  const response = await fetch('https://api.leavo.ai/backend/webhooks', {
    method: 'POST',
    headers: {
      'Authorization': 'Bearer your_api_key_here',
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      url: 'https://your-app.com/webhooks/leavo',
      events: ['lead.created', 'lead.status_changed', 'message.received'],
      active: true
    })
  });
  ```
</CodeGroup>

### Response

```json theme={null}
{
  "success": true,
  "data": {
    "id": "webhook-uuid",
    "url": "https://your-app.com/webhooks/leavo",
    "events": ["lead.created", "lead.status_changed", "message.received"],
    "active": true,
    "secret": "whsec_xxxxxxxxxxxxx",
    "created_at": "2024-01-15T10:30:00Z"
  }
}
```

<Warning>
  Store the `secret` securely. It's used to verify that requests actually came from Leavo.
</Warning>

## Signature Verification

Every webhook includes an `X-Leavo-Signature` header. Verify it to ensure authenticity:

```javascript theme={null}
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}
```
