Webhooks require the Pro plan or higher.
What are Webhooks?
Webhooks are HTTP callbacks that send data to a URL you specify when events occur—such as a form submission. Orbit AI webhooks let you:
- Real-time — Data is sent immediately when a submission is received
- Flexible — Works with any service that accepts HTTP POST requests
- Secure — Verify requests using HMAC-SHA256 signatures
- Retries — Automatic retries if your endpoint fails
Setting Up a Webhook
Open your form
Open the form you want to send webhook data from.
Go to Integrations
Click Integrations in the form settings or sidebar.
Add Webhook
Click Add Webhook or Webhook.
Enter your URL
Enter the full endpoint URL (e.g., https://your-server.com/webhook).
Configure optional settings
Add custom headers or adjust the payload format if needed.
Save and test
Save the webhook and submit a test form to verify it works.
Copy your signing secret
Copy the webhook signing secret to verify requests on your server.
{
"event": "form.submitted",
"timestamp": "2025-03-07T12:00:00.000Z",
"form_id": "abc123",
"form_name": "Contact Form",
"submission_id": "sub_xyz789",
"data": {
"email": "[email protected]",
"name": "Jane Doe",
"message": "Hello, I'd like to learn more."
}
}
| Field | Description |
|---|
event | The event type (e.g., form.submitted) |
timestamp | ISO 8601 timestamp |
form_id | Unique form identifier |
form_name | Display name of the form |
submission_id | Unique submission identifier |
data | Form field values keyed by field ID or name |
Security & Verification
Orbit AI signs each webhook request with HMAC-SHA256. Verify the signature before processing.
The signature is sent in the X-Orbit-Signature header.
Verification Steps
- Get the raw request body — Use the raw bytes as received (do not parse and re-serialize JSON)
- Compute HMAC-SHA256 — Using your webhook signing secret as the key
- Compare with the header — The header value should match your computed signature
- Reject if mismatched — Do not process requests with invalid signatures
Example (Node.js):
const crypto = require('crypto');
function verifyWebhook(payload, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature, 'hex'),
Buffer.from(expected, 'hex')
);
}
Error Handling & Retries
Success Response
Your endpoint should return a 2xx status code (e.g., 200, 201, 204) to indicate successful processing.
Automatic Retries
If your endpoint returns a non-2xx status or times out, Orbit AI will retry up to 3 times with exponential backoff.
Timeout
Requests time out after 30 seconds. Ensure your endpoint responds within this window.
Next Steps
