/Webhooks

Webhooks

Send signed JSON events to your own endpoint.

Create a webhook#

From your form's Webhook tab, click "New webhook", paste your endpoint URL, and save. Halloform generates a per-webhook secret and shows it to you once — copy it somewhere safe.

Event envelope#

The body is a flat JSON object — no "data" wrapper. The event name travels in the X-Halloform-Event header (e.g. submission.completed), not in the body.

{
  "version": "1",
  "formId": "Dgo61ZsT1KYQ",
  "formName": "Contact form",
  "submissionId": "4271",
  "submittedAt": "2026-05-31T08:00:00.123Z",
  "fields": [
    { "id": "zT5U3eWl", "name": "Email", "type": "EmailInput", "value": "ada@example.com" }
  ],
  "scheduling": null,
  "payments": null
}

Verify the signature#

Every request includes an X-Halloform-Signature header — sha256= followed by the hex digest of the raw body, keyed by your webhook secret. Reject any request whose digest doesn't match. The event name arrives in the X-Halloform-Event header.

Don't trust the unsigned body
Without signature verification, anyone can spoof an event to your endpoint. The secret is the only thing tying a request back to your form.