LeadToSheet LogoLeadToSheet

Getting Started with Webhooks

Send each form submission to your CRM, automation tool, or custom backend the moment it arrives.

What webhooks do

Webhooks let LeadToSheet POST a JSON payload to a URL you control every time a form submission is captured. You can use this to push leads into a CRM, trigger Zapier or Make automations, send Slack notifications, or fan out to any internal system.

Webhooks fire in real time, in addition to the Google Sheets sync - they don't replace it.

Adding a webhook endpoint

Webhook endpoints are configured per site. You'll find them under Settings → Webhooks for the site you want to wire up.

  1. 1

    Open the site's Webhooks page

    From the sidebar, choose the site you want, click Settings, then open the Webhooks tab.

  2. 2

    Add a new endpoint

    Click "Add Endpoint" to open the configuration form.

  3. 3

    Enter the destination URL

    Paste the URL where LeadToSheet should POST submissions. It must be a public HTTP or HTTPS URL - HTTPS is strongly recommended for any production endpoint.

  4. 4

    Choose an HTTP method

    POST, PUT, or PATCH are supported. POST is the right choice for most integrations.

  5. 5

    Pick a form scope

    Choose "All forms" to send every submission on this site, or pick a specific form to scope the webhook to a single form.

  6. 6

    (Optional) Add a field whitelist

    By default LeadToSheet sends every captured field. Enter a comma- or newline-separated list to send only specific field names (e.g. email, phone, company).

  7. 7

    (Optional) Add custom headers

    Add any custom HTTP headers the receiving system requires, such as an API key or bearer token.

  8. 8

    (Optional) Toggle metadata

    Leave "Include metadata" enabled to send UTM parameters, ad click IDs, and browser data alongside the submission. Disable it for a leaner payload.

  9. 9

    Click Create Endpoint

    The endpoint becomes active immediately and will receive the next matching submission.

The webhook payload

Each delivery is a JSON POST body with an event of "submission.created". The full shape:

  • event - always "submission.created" for live deliveries (or "submission.test" if you click Test on the endpoint)
  • timestamp - ISO 8601 timestamp of the delivery
  • submission - id, formId, fields (key/value object of captured fields), submittedAt, url
  • form - id, fingerprint, formName, action
  • client - id, name
  • metadata (optional) - userAgent, utmSource/Medium/Campaign/Term/Content, gclid, fbclid, msclkid, ttclid, liFatId, language, platform, timezone, referrer

Note

If you set a field whitelist, only the listed keys appear under submission.fields. Other captured fields are excluded from the payload entirely.

Verifying webhook signatures

Every webhook delivery is signed so your endpoint can confirm it really came from LeadToSheet. Three headers are sent on every request:

  • X-Webhook-Signature - HMAC-SHA256 hex digest of the raw request body, signed with the endpoint's secret
  • X-Webhook-Id - a unique ID for this delivery attempt
  • X-Webhook-Timestamp - ISO 8601 timestamp of when the payload was generated

To verify, recompute the HMAC-SHA256 of the raw request body using your endpoint's secret and compare it to the X-Webhook-Signature header in constant time.

Tip

Always verify the signature before trusting any payload. Reject deliveries where the signature doesn't match.

Retries and timeouts

If your endpoint doesn't respond within 10 seconds, or returns a non-2xx status, the delivery is marked failed and automatically retried.

  • Up to 2 retry attempts after the initial delivery (3 attempts total)
  • First retry is scheduled about 1 minute after the failure; the second about 5 minutes after that. Retries are picked up by the sync cron, which runs every 5 minutes, so the actual retry can land slightly later than the scheduled time.
  • After the final attempt, the delivery is left in a failed state. The webhook itself is re-enabled and ready for the next submission.

Note

Endpoints pointing at private or internal IP ranges (localhost, 10.x, 172.16–31.x, 192.168.x, .local, .internal, etc.) are rejected - webhooks must target a publicly reachable URL.

Testing an endpoint

Use the Test button on any endpoint to send a sample payload. The test payload uses event "submission.test" and contains placeholder fields, so you can confirm your handler is reachable and your signature verification works without waiting for a real submission.

Disabling or removing endpoints

Use the toggle on each endpoint card to temporarily disable an endpoint without deleting it - disabled endpoints stop receiving deliveries immediately. Click Delete to remove the endpoint and its delivery history permanently.