Webhooks
Send signed JSON events to your own endpoint.
Create a webhook#
From your form's Webhook tab, click "New webhook", paste your endpoint URL, and save. Halloform generates a per-webhook secret and shows it to you once — copy it somewhere safe.
Event envelope#
The body is a flat JSON object — no "data" wrapper. The event name travels in the X-Halloform-Event header (e.g. submission.completed), not in the body.
{
"version": "1",
"formId": "Dgo61ZsT1KYQ",
"formName": "Contact form",
"submissionId": "4271",
"submittedAt": "2026-05-31T08:00:00.123Z",
"fields": [
{ "id": "zT5U3eWl", "name": "Email", "type": "EmailInput", "value": "ada@example.com" }
],
"scheduling": null,
"payments": null
}Verify the signature#
Every request includes an X-Halloform-Signature header — sha256= followed by the hex digest of the raw body, keyed by your webhook secret. Reject any request whose digest doesn't match. The event name arrives in the X-Halloform-Event header.
Don't trust the unsigned body
Without signature verification, anyone can spoof an event to your endpoint. The secret is the only thing tying a request back to your form.