Webhooks & APIs

Connect Inboxy to AnythingWebhooks, API Tokens & Integrations

Real-time outbound webhooks for thirteen event types with HMAC-SHA256 signatures and automatic retry. API tokens with thirteen permission scopes. Compatible with Zapier, Make, and n8n.

webhook-payload.json
{
  "event": "message.received",
  "timestamp": "2026-04-12T14:30:00Z",
  "channel": "whatsapp",
  "contact": {
    "name": "Ahmed Mohamed",
    "phone": "+966501234567"
  },
  "message": {
    "text": "I want to order",
    "type": "text"
  }
}

Headers:
X-Inboxy-Signature: sha256=a1b2c3...
X-Inboxy-Timestamp: 1712930200
13

Event Types

HMAC

SHA256 Signature

Auto

Auto Retry

13

Permission Scopes

3+

Compatible Platforms

Thirteen Event Types

Receive real-time notifications for every important event on your platform via outbound webhooks

Messages

message.received
message.sent

Contacts

contact.created
contact.updated

Conversations

conversation.opened
conversation.closed
conversation.assigned

Orders

order.created
order.updated
order.completed
order.cancelled

Campaigns

campaign.started
campaign.completed

AI

agent.response

Core Features

Automatic Event Dispatch

When any of thirteen events occur in Inboxy, data is automatically sent as JSON to the specified endpoint

HMAC-SHA256 Signature

Every request includes an HMAC-SHA256 signature in the X-Inboxy-Signature header with timestamp for security verification

Exponential Retry Backoff

On failure, the system retries with increasing intervals: 1s, 2s, 4s, 8s. Three retries maximum by default.

API Token Management

Create API tokens with inboxy_ prefix and thirteen permission scopes. Token shown only once and stored hashed.

How Webhooks Work

1

Event in Inboxy

New message, order, or contact update

2

Build Payload & Sign

JSON data with HMAC-SHA256 signature in header

3

POST to Your URL

Send to specified endpoint with SSRF protection

4

Success or Retry

Success (200) or auto-retry with exponential backoff

Webhook Management

Full control over your platform webhooks with detailed delivery logs and SSRF protection.

Create, update, delete
Test dispatch manually
Replay failed (last seven days)
Delivery log per webhook
Secret regeneration
Pause and resume
ACTIVEPAUSEDFAILED
api-request.sh
curl -X POST \
  https://api.inboxy.chat/v1/messages \
  -H "Authorization: Bearer inboxy_abc..." \
  -H "Content-Type: application/json" \
  -d '{
    "channel": "whatsapp",
    "to": "+966501234567",
    "template": "order_update",
    "variables": {
      "order_id": "#5678",
      "status": "shipped"
    }
  }'
API Tokens

API Tokens with Granular Permissions

Create API tokens with inboxy_ prefix and thirteen permission scopes. Token shown only once at creation and stored SHA-256 hashed. Optional expiration date and last-used tracking.

woocommerce:readwoocommerce:writeotp:sendotp:verifycontacts:readconversations:readmessages:readorders:readleads:readtickets:readproducts:readanalytics:read

Integration Examples

Some practical scenarios for how to use webhooks and API tokens

Sync with HubSpot

New WhatsApp message → Auto-create HubSpot contact via Zapier

Slack Notifications

New order → Instant notification in Slack channel via Make

Update Google Sheets

New contact → Add row in Google Sheets via n8n

Custom OTP System

Send verification codes via WhatsApp using API tokens with otp:send scope

WooCommerce Sync

Connect WordPress store with Inboxy via API token with woocommerce:read/write scopes

External CRM Integration

Two-way contact sync with any CRM via contacts:read and webhooks

Security

Enterprise-Grade Security

HMAC-SHA256 signature for every request with hashed API token storage and SSRF protection that blocks private IPs and cloud metadata.

HMAC-SHA256 signature with timestamp
SHA-256 hashed API token storage
SSRF protection against private addresses
Timing-safe verification recommended
Soft delete with audit trail
HMAC

SHA256 Signature

SSRF

Built-in Protection

7d

Replay Window

Audit Trail

Compatible With Over 5,000 Apps

Zapier

Connect with over five thousand apps. Trigger Zaps on any of thirteen events.

Make

Advanced automation scenarios with webhook trigger module. Formerly Integromat.

n8n

Open-source automation with webhook node. Perfect for self-hosted environments.

13

Event Types

13

Permission Scopes

3

Compatible Platforms

REST

API Interface

Connect Inboxy With Your Favorite Tools

Webhooks and REST API for seamless integration with Zapier, Make, n8n, and any external app

Easy-to-use interface