HALLOFORM
/Webhooks

Webhooks

Send signed JSON events to your own endpoint.

Create a webhook#

From your form's Webhook tab, click "New webhook", paste your endpoint URL, and save. Halloform generates a per-webhook secret and shows it to you once — copy it somewhere safe.

Event envelope#

{
  "event": "submission.completed",
  "formPublicId": "Dgo61ZsT1KYQ",
  "occurredAt": "2026-05-31T08:00:00.123Z",
  "data": {
    "submissionId": 4271,
    "submissionUuid": "8c5f...",
    "status": "complete"
  }
}

Verify the signature#

Every request includes an X-Halloform-Signature header — sha256= followed by the hex digest of the raw body, keyed by your webhook secret. Reject any request whose digest doesn't match.

Don't trust the unsigned body
Without signature verification, anyone can spoof an event to your endpoint. The secret is the only thing tying a request back to your form.