Lead Webhooks Reference
Payload shape and HMAC signature verification for the lead.created webhook event.
Lead webhooks are configured from Settings & Account and fire when a visitor submits the widget's enquiry form.
Event
Only one event is currently delivered: lead.created.
Payload
{
"event": "lead.created",
"timestamp": "2026-07-15T09:00:00.000Z",
"data": {
"id": "lead_uuid",
"agent_id": "agent_uuid",
"visitor_name": "Jane Doe",
"visitor_email": "jane@example.com",
"visitor_message": "Do you offer annual billing?",
"status": "new",
"created_at": "2026-07-15T09:00:00.000Z"
}
}Request headers
| Header | Description |
|---|---|
Content-Type | application/json |
User-Agent | Mozo-Webhooks/1.0 |
X-Mozo-Signature | Present only if the webhook has a secret configured |
Verifying the signature
If you set a secret when creating the webhook, every request includes an HMAC-SHA256
signature of the raw JSON body, hex-encoded, in the X-Mozo-Signature header:
import { createHmac, timingSafeEqual } from "crypto";
function isValidMozoSignature(rawBody, signatureHeader, secret) {
const expected = createHmac("sha256", secret)
.update(rawBody)
.digest("hex");
const a = Buffer.from(signatureHeader ?? "");
const b = Buffer.from(expected);
return a.length === b.length && timingSafeEqual(a, b);
}Compute the signature over the exact raw request body bytes, before any JSON parsing — re-serializing the parsed object can produce a different byte sequence and fail verification.
Scope
A webhook can be scoped to a single agent, or left agent-less to receive leads from every agent in your organization. Webhooks can be individually enabled, disabled, tested, or deleted from Settings.