Webhooks
Webhooks push events to your servers the moment business happens — invoice paid, client created, task completed, file uploaded, and more. Every delivery is HMAC-SHA256 signed and logged.
Events
client.created · lead.created · deal.created · invoice.created · quote.created · invoice.sent · invoice.paid · payment.recorded · task.created · task.completed · bucket.created · file.uploaded · file.deleted · webhook.test
Delivery format
{
"id": "delivery-uuid",
"object": "event",
"type": "invoice.paid",
"company_id": "...",
"created_at": "2026-06-11T12:00:00.000Z",
"data": {
"source_type": "invoice",
"source_id": "...",
"object": { ...the invoice... }
}
}Verifying signatures
Each delivery includes X-MyTabulon-Timestamp and X-MyTabulon-Signature headers. Recompute the HMAC over `${timestamp}.${rawBody}` with your endpoint secret and compare.
const crypto = require("crypto");
const expected = crypto
.createHmac("sha256", endpointSecret)
.update(`${req.headers["x-mytabulon-timestamp"]}.${rawBody}`)
.digest("hex");
const valid =
req.headers["x-mytabulon-signature"] === `sha256=${expected}`;Managing endpoints
Create and manage endpoints from the dashboard Webhooks page, or programmatically through the webhook-endpoints resource. Failed deliveries are logged with the response body so you can debug, and you can fire test events any time.