REST Webhook (Custom CRM)

The REST Webhook (Custom CRM Integration) is how you connect Auto-Respond to a CRM or internal system that isn’t one of the directly-supported CRMs. Auto-Respond sends an HTTP POST request to an endpoint you control every time a lead event happens on this source — a new lead, new contact info, a new message. The payload is a JSON document containing the lead’s details, and every request carries a secret header so your endpoint can verify the request really came from Auto-Respond.

ℹ️

This integration requires a developer or someone who can host an endpoint that receives JSON. If you need a no-code route to a custom tool, use Zapier instead. If you just want a team alert, use Slack, SMS, WhatsApp, or Telegram.

What you’ll get

An HTTP POST to your endpoint for every lead event on this source.
A JSON body with the lead’s identity, contact info, tags, and the conversation history so far.
An X-Secret-Key header on every request so you can verify the sender.
Optional handoff mode: Auto-Respond can stop sending its own welcome message and follow-ups and let your receiver drive the conversation.

Connecting the Webhook

Open the integration

In Auto-Respond, open the source → Messaging Settings → Integrations tab → REST Webhook card.

Paste your Webhook URL

Enter the public HTTPS URL of the endpoint you want Auto-Respond to POST to. Your endpoint should accept JSON, respond with a 2xx status on success, and be reachable from the public internet.

Copy the Secret key

Auto-Respond generates a Secret key for you when the card is set up. This key is sent on every request in the X-Secret-Key HTTP header. Copy it into your receiver code and compare it against the incoming header on every request — reject any request where it doesn’t match.

You can Regenerate the secret key at any time. Regenerating invalidates the old key immediately — update your receiver before regenerating in production.

Test webhook

Click Test webhook to send a sample POST to your URL right now. Check your endpoint’s logs to confirm it arrived, and confirm your signature check passes on the test request.

Turn on the Enable toggle

The integration doesn’t POST anything until Enable is on.

Options

Enable

Turns the integration on or off for this source. Default: off.

Inherit from parent

Only shown on a location with a parent business. When on, the location uses the parent’s webhook URL and secret. When off, it has its own.

Webhook URL

The HTTPS endpoint that receives the POST. Required.

Secret key

Auto-generated by Auto-Respond. Sent on every request as the X-Secret-Key HTTP header. Your receiver should reject any request whose header doesn’t match the key you configured. Click Regenerate to issue a new one — the old key stops working immediately.

Skip welcome and follow-ups

Label: Skip welcome and follow-ups. Default: off.

When on — Auto-Respond will not send its usual welcome message or follow-up sequence for leads on this source. The webhook receiver is expected to handle the conversation.
When off — Auto-Respond sends its normal welcome and follow-ups in addition to firing the webhook.

Use this when your own system is taking over the conversation flow and you don’t want Auto-Respond’s automated messages to interfere.

Create customer only when contact info is captured

Default: off.

When on — The webhook only fires once the lead has shared a phone number or email.
When off — The webhook fires the moment the lead reaches out.

Create only for new leads

Default: off.

When on — Returning leads don’t trigger the webhook.
When off — Every lead triggers the webhook.

Include source name

Default: off. When on, the source name is included in the payload so your receiver knows which source the lead came from.

Validate Connection / Test webhook

Fires a sample POST to the URL right now so you can confirm your endpoint receives it and your signature check works.

Payload preview

The card has an expandable sample JSON block showing the shape of data Auto-Respond will POST to your endpoint.

Disconnect

Clears the webhook URL and secret and turns the integration off. Confirmation required.

Sample payload

The request is an HTTP POST with Content-Type: application/json. The X-Secret-Key header is set to your secret key. The body looks like:

{
  "lead_id": "lead_01HX7Q5W9J2E8K1M3YPABCDEFG",
  "name": "Alex Rivera",
  "email": "alex@example.com",
  "phone": "+15551234567",
  "postal_code": "90210",
  "tags": ["yelp", "hvac", "emergency"],
  "source_name": "Yelp – Downtown",
  "messages": [
    {
      "direction": "inbound",
      "text": "Hi, do you handle AC repair in 90210?",
      "timestamp": "2026-04-21T15:42:18Z"
    },
    {
      "direction": "outbound",
      "text": "Yes — what's the best number to reach you on?",
      "timestamp": "2026-04-21T15:42:35Z"
    },
    {
      "direction": "inbound",
      "text": "555-123-4567",
      "timestamp": "2026-04-21T15:43:02Z"
    }
  ],
  "integrations": {
    "created_in_crm": true,
    "crm_name": "hubspot"
  }
}

Fields included on every payload:

lead_id — stable identifier for the lead.
name, email, phone, postal_code — present when collected; omitted or null otherwise.
tags — tags attached to the lead.
source_name — included when Include source name is on.
messages — the conversation transcript so far, in chronological order.
integrations — a summary of what Auto-Respond has done with this lead in other integrations.

What your endpoint should do

Accept POST at the configured URL.
Read the X-Secret-Key header and compare it to the secret you copied out of the card. Reject any request where it doesn’t match.
Return a 2xx status code on success. Any other status is treated as a delivery failure.
Be idempotent — the same lead_id may arrive more than once as a lead updates.

Disconnecting

Open the REST Webhook card → click Disconnect → confirm. The webhook URL and secret are cleared. Regenerating or disconnecting invalidates the old secret immediately.

Troubleshooting

“Validation failed” / test webhook fails — The endpoint didn’t return a 2xx response in time. Check the URL, that the endpoint is publicly reachable over HTTPS, and that it responds quickly.
Signature check failing on my side — Make sure you’re comparing against the current secret on the card. If you regenerated the secret, the old one stops working immediately.
Not receiving anything — Confirm Enable is on. If Create customer only when contact info is captured is on, the lead hasn’t shared phone or email yet. If Create only for new leads is on, the lead may already be known.
Auto-Respond is still sending welcome messages after my webhook fires — Turn on Skip welcome and follow-ups if you want to fully hand the conversation over to your receiver.
I want duplicate protection — Use the lead_id field in the payload as an idempotency key.

Questions about the REST Webhook integration? Email support@auto-respond.com.

Last updated: April 21, 2026