Visisto
Integrations

Visisto Webhooks

Send captured contacts, reward events, and custom data to any HTTPS endpoint. Signed, retried automatically, and fully logged. No Zapier required.

What you can send
  • contact.created: email, name, phone, source URL, campaign ID, widget type
  • reward.issued: coupon code, discount value, expiry date, and associated contact
  • Custom events: any event you define in your Visisto campaigns

How to set up a webhook

  1. 1
    Go to Integrations → Webhooks in the dashboard

    Open your Visisto workspace and click Integrations in the sidebar, then select the Webhooks tab.

  2. 2
    Click Add Webhook and paste your endpoint URL

    Enter the HTTPS URL of the endpoint that will receive the payloads. HTTP endpoints are not accepted.

  3. 3
    Choose which events to send

    Select contacts, reward events, or both. You can also add custom event types defined in your campaigns.

  4. 4
    Copy your webhook secret

    A unique secret is generated for each webhook. Copy it now; you will use it to verify HMAC signatures on incoming requests.

    Store the secret in an environment variable, never in source code.

  5. 5
    Implement signature verification in your endpoint

    Use the code example below to verify the X-Visisto-Signature header on every incoming request.

  6. 6
    Click Save → Send test payload

    Send a test payload to your endpoint and check it arrives correctly. Fix any issues before going live.

  7. 7
    Monitor deliveries in the log

    The delivery log shows every attempt with full request/response details. Use it to debug failures and replay deliveries.

Example payload

This is what a contact.created webhook payload looks like. All timestamps are ISO 8601 UTC.

{
  "event": "contact.created",
  "timestamp": "2025-06-15T14:32:00Z",
  "data": {
    "email": "visitor@example.com",
    "name": "Jane Smith",
    "fields": { "company": "Acme Inc" },
    "campaign_id": "cmp_abc123",
    "source_url": "https://example.com/pricing"
  }
}

Verifying the signature

Every request includes an X-Visisto-Signature header containing an HMAC-SHA256 hex digest of the raw request body, signed with your webhook secret. Always verify this before processing the payload.

import crypto from "crypto";

function verifySignature(payload: string, signature: string, secret: string) {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}
Security note

Always use crypto.timingSafeEqual for the comparison, never a direct string equality check. Timing attacks can extract secrets from non-constant-time comparisons.

Webhook features

Reliable delivery, every time

Built-in retries, signatures, logs, and transforms. Everything you need to build a production-grade integration.
HMAC-SHA256 signatures

Every request is signed with your secret. Verify the X-Visisto-Signature header to reject forged payloads.

Automatic retries

Failed deliveries are retried with exponential backoff for up to 72 hours. No contacts lost.

Delivery logs

Inspect every delivery attempt with full request/response details, timestamps, and status codes.

One-click replay

Re-send any failed or historical delivery directly from the dashboard with one click.

Field transforms

Rename, copy, split, or delete fields before delivery so data arrives clean at your endpoint.

TLS encrypted in transit

All webhook payloads are delivered over HTTPS. Plain-text HTTP endpoints are rejected.

FAQ

Webhook FAQ

Common questions about Visisto webhooks, signature verification, and event delivery.

Ready to connect your stack?

Set up a webhook in minutes. No Zapier, no middleware, no hassle.
Get started freeView integrations

Start free. No credit card required. Setup in minutes.