Skip to main content
Webhooks require the Pro plan or higher.

What are Webhooks?

Webhooks are HTTP callbacks that send data to a URL you specify when events occur—such as a form submission. Orbit AI webhooks let you:
  • Real-time — Data is sent immediately when a submission is received
  • Flexible — Works with any service that accepts HTTP POST requests
  • Secure — Verify requests using HMAC-SHA256 signatures
  • Retries — Automatic retries if your endpoint fails

Setting Up a Webhook

1

Open your form

Open the form you want to send webhook data from.
2

Go to Integrations

Click Integrations in the form settings or sidebar.
3

Add Webhook

Click Add Webhook or Webhook.
4

Enter your URL

Enter the full endpoint URL (e.g., https://your-server.com/webhook).
5

Configure optional settings

Add custom headers or adjust the payload format if needed.
6

Save and test

Save the webhook and submit a test form to verify it works.
7

Copy your signing secret

Copy the webhook signing secret to verify requests on your server.

Payload Format

Each webhook request is sent as a JSON payload with the following structure: 
{
  "event": "form.submitted",
  "timestamp": "2025-03-07T12:00:00.000Z",
  "form_id": "abc123",
  "form_name": "Contact Form",
  "submission_id": "sub_xyz789",
  "data": {
    "email": "[email protected]",
    "name": "Jane Doe",
    "message": "Hello, I'd like to learn more."
  }
}
FieldDescription
eventThe event type (e.g., form.submitted)
timestampISO 8601 timestamp
form_idUnique form identifier
form_nameDisplay name of the form
submission_idUnique submission identifier
dataForm field values keyed by field ID or name

Security & Verification

Orbit AI signs each webhook request with HMAC-SHA256. Verify the signature before processing.

Signature Header

The signature is sent in the X-Orbit-Signature header.

Verification Steps

  1. Get the raw request body — Use the raw bytes as received (do not parse and re-serialize JSON)
  2. Compute HMAC-SHA256 — Using your webhook signing secret as the key
  3. Compare with the header — The header value should match your computed signature
  4. Reject if mismatched — Do not process requests with invalid signatures
Example (Node.js): 
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature, 'hex'),
    Buffer.from(expected, 'hex')
  );
}

Error Handling & Retries

Success Response

Your endpoint should return a 2xx status code (e.g., 200, 201, 204) to indicate successful processing.

Automatic Retries

If your endpoint returns a non-2xx status or times out, Orbit AI will retry up to 3 times with exponential backoff.

Timeout

Requests time out after 30 seconds. Ensure your endpoint responds within this window.

Next Steps

Integrations

Connect to CRMs, Slack, and more

API Reference

Programmatic access to forms and submissions