Webhooks Overview

Xobito can push events to a URL on your server in four categories:

CRUD events — contacts, statuses, sources are created/updated/deleted
Message delivery status events — message.sent, message.delivered, message.read, message.failed (live as of 2026-05-28)

All events POST to the same webhook_url you configure. Message delivery events use a different, simpler payload than CRUD events — see Webhook Events.

These categories still do not fire outbound webhooks: campaigns, template approvals, tickets, and conversations. For those, poll the relevant API endpoint.

Configuring webhooks

Open Webhook Settings

In your dashboard go to Settings → Webhook Management.

Enable webhook access

Toggle Enable Webhook Access on.

Set the URL

Enter your webhook_url. Every configured event is POSTed to this URL.

Pick the events (CRUD)

Toggle the events you want:

Contacts — Create / Update / Delete
Statuses (contact status labels) — Create / Update / Delete
Sources (contact source labels) — Create / Update / Delete

Message delivery status events

These fire automatically for every send when Enable Webhook Access is on. No per-event toggle in the UI — you receive all four (message.sent, message.delivered, message.read, message.failed) at the same webhook_url. If you only want a subset, filter in your handler by event.

Save

Changes take effect immediately.

Payload

Every webhook POST has this shape:

{
  "event": "created",
  "model": "App\\Models\\Tenant\\Contact",
  "data": {
    "id": 123,
    "attributes": {
      "firstname": "John",
      "lastname": "Doe",
      "phone": "+14155551234",
      "email": "john@example.com",
      "type": "lead",
      "status_id": 1,
      "source_id": 2
    },
    "relations": {}
  },
  "original": null,
  "timestamp": "2026-04-16T12:34:56+00:00"
}

Field	Meaning
`event`	One of `"created"`, `"updated"`, `"deleted"`.
`model`	Fully qualified model class — use this to tell contact/status/source apart.
`data.id`	Primary key of the record.
`data.attributes`	Full attribute set of the record at the time of the event.
`data.relations`	Reserved for eager-loaded relations (usually empty).
`original`	Usually `null`.
`timestamp`	ISO-8601 time the event was dispatched.

See Webhook Events for every event and an example payload of each.

Delivery guarantees

Property	Value
Delivery	HTTP POST, JSON body
Attempts	Up to 3 total
Backoff	`1s` before attempt 2, `2s` before attempt 3 (exponential — first attempt fires immediately)
Execution	Synchronous — not queued
Timeout	`30` seconds per attempt
Logging	Every attempt is written to the internal `webhook_logs` table, purged after 30 days

Xobito issues a unique signing secret per workspace. If you do not yet have your secret, contact Xobito support to have one issued and rotated.

Because webhooks are executed synchronously, your endpoint latency directly affects Xobito dashboard responsiveness. Return 2xx quickly (ideally under 1 second) and do the heavy work asynchronously on your side.

Verifying requests

Every webhook request carries an HMAC-SHA256 signature in the X-Webhook-Signature header. See Webhook Security for how to verify.

Testing

There is no “Send test event” button in the current version. To test your endpoint, trigger a real event — for example, create a contact in the dashboard and watch your server for the created POST.

Incoming (Meta → Xobito) webhooks

Separate from outbound webhooks above, Xobito also receives inbound events from the Meta Cloud API (incoming messages, delivery receipts, template status changes). These are not customer configurable — they are set up automatically when you connect your Meta Business account. Do not confuse the two systems.

​Configuring webhooks

​Payload

​Delivery guarantees

​Verifying requests

​Testing

​Incoming (Meta → Xobito) webhooks

​Next steps

Webhook Events

Webhook Security

Configuring webhooks

Payload

Delivery guarantees

Verifying requests

Testing

Incoming (Meta → Xobito) webhooks

Next steps