Skip to main content
Xobito can push events to a URL on your server when contacts, statuses, or sources are created, updated, or deleted. This is how you keep your own systems in sync with the workspace.
Outbound webhooks cover contacts, statuses, and sources only. Message delivery events (sent/delivered/read/failed), campaign events, template approval events, ticket events, and conversation events do not fire outbound webhooks. For message delivery state, poll GET /messages/{messageId}/status.

Configuring webhooks

1

Open Webhook Settings

In your dashboard go to Settings → Webhook Settings.
2

Enable webhooks

Toggle webhook_enabled on.
3

Set the URL

Enter a single webhook_url. Every configured event is POSTed to this URL.
4

Pick the events

Check the boxes for the events you want:
  • contacts_actions — create / update / delete
  • status_actions — create / update / delete
  • source_actions — create / update / delete
5

Save

Changes take effect immediately.

Payload

Every webhook POST has this shape: 
{
  "event": "created",
  "model": "App\\Models\\Tenant\\Contact",
  "data": {
    "id": 123,
    "attributes": {
      "firstname": "John",
      "lastname": "Doe",
      "phone": "+14155551234",
      "email": "john@example.com",
      "type": "lead",
      "status_id": 1,
      "source_id": 2
    },
    "relations": {}
  },
  "original": null,
  "timestamp": "2026-04-16T12:34:56+00:00"
}
FieldMeaning
eventOne of "created", "updated", "deleted".
modelFully qualified model class — use this to tell contact/status/source apart.
data.idPrimary key of the record.
data.attributesFull attribute set of the record at the time of the event.
data.relationsReserved for eager-loaded relations (usually empty).
originalUsually null.
timestampISO-8601 time the event was dispatched.
See Webhook Events for every event and an example payload of each.

Delivery guarantees

PropertyValue
DeliveryHTTP POST, JSON body
AttemptsUp to 3 total
Backoff0s, 2s, 4s (exponential)
ExecutionSynchronous — not queued
Timeout30 seconds per attempt
LoggingEvery attempt is written to the internal webhook_logs table, purged after 30 days
Because webhooks are executed synchronously, your endpoint latency directly affects Xobito dashboard responsiveness. Return 2xx quickly (ideally under 1 second) and do the heavy work asynchronously on your side.

Verifying requests

Every webhook request carries an HMAC-SHA256 signature in the X-Webhook-Signature header. See Webhook Security for how to verify.

Testing

There is no “Send test event” button in the current version. To test your endpoint, trigger a real event — for example, create a contact in the dashboard and watch your server for the created POST.

Incoming (Meta → Xobito) webhooks

Separate from outbound webhooks above, Xobito also receives inbound events from the Meta Cloud API (incoming messages, delivery receipts, template status changes). These are not customer configurable — they are set up automatically when you connect your Meta Business account. Do not confuse the two systems.

Next steps

Webhook Events

The 9 events Xobito actually sends, with example payloads.

Webhook Security

HMAC signature verification.