Lead Webhooks Reference

Payload shape and HMAC signature verification for the lead.created webhook event.

Lead webhooks are configured from Settings & Account and fire when a visitor submits the widget's enquiry form.

Event

Only one event is currently delivered: lead.created.

Payload

JSON
{
  "event": "lead.created",
  "timestamp": "2026-07-15T09:00:00.000Z",
  "data": {
    "id": "lead_uuid",
    "agent_id": "agent_uuid",
    "visitor_name": "Jane Doe",
    "visitor_email": "jane@example.com",
    "visitor_message": "Do you offer annual billing?",
    "status": "new",
    "created_at": "2026-07-15T09:00:00.000Z"
  }
}

Request headers

HeaderDescription
Content-Typeapplication/json
User-AgentMozo-Webhooks/1.0
X-Mozo-SignaturePresent only if the webhook has a secret configured

Verifying the signature

If you set a secret when creating the webhook, every request includes an HMAC-SHA256 signature of the raw JSON body, hex-encoded, in the X-Mozo-Signature header:

import { createHmac, timingSafeEqual } from "crypto";
 
function isValidMozoSignature(rawBody, signatureHeader, secret) {
  const expected = createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex");
 
  const a = Buffer.from(signatureHeader ?? "");
  const b = Buffer.from(expected);
  return a.length === b.length && timingSafeEqual(a, b);
}

Compute the signature over the exact raw request body bytes, before any JSON parsing — re-serializing the parsed object can produce a different byte sequence and fail verification.

Scope

A webhook can be scoped to a single agent, or left agent-less to receive leads from every agent in your organization. Webhooks can be individually enabled, disabled, tested, or deleted from Settings.