Zubby AI
  • Pricing
Sign inStart free trial
  • Welcome
  • REST API reference
  • Outbound webhooks
  1. Docs
  2. Outbound webhooks

Outbound webhooks

Webhooks let Zubby push events to your stack the moment they happen — no polling required. Subscribe an HTTPS endpoint, choose the events you care about, and we’ll deliver signed JSON payloads with automatic retries on failure.

Subscribing

In the dashboard, under Integrations → Webhooks, paste your HTTPS URL and save. Every configured endpoint receives every event listed below. Slack incoming-webhook URLs get a readable text message; Zapier / Make catch-hooks get a flat JSON object; everything else gets the signed envelope described below.

Event catalog

EventWhen it fires
lead.createdA shopper leaves their email or phone in the widget.
handoff.requestedA shopper asks for a human from the widget.
conversation.startedA new shopper conversation begins.
conversation.escalatedThe AI (low confidence) or a teammate escalated a chat.
conversation.closedA teammate closed a conversation.
csat.submittedA shopper rated their chat experience (1–5 stars).
ticket.createdA support ticket was opened (any channel).
recovery.sentA cart/browse recovery email left our outbox.
order.refundedThe platform reported an order refund.
rma.createdThe AI logged a shopper return request.

Payload shape

Every event has the same envelope. The data field differs per event type. id is a unique event id — use it to deduplicate on your side.

json
{
  "id": "5f3c2a1e-9d2b-4c1f-8a4e-1b2c3d4e5f6a",
  "event": "lead.created",
  "timestamp": "2026-05-15T18:22:43.108Z",
  "data": {
    "leadId": "lead_01HJKLMN",
    "email": "alex@example.com",
    "purpose": "lead_capture"
  }
}

Verifying signatures

Every non-Slack delivery is signed. The X-Zubby-Signature header has the form t=<unix-ts>,v1=<hmac>, where v1 is an HMAC-SHA256 of `${timestamp}.${rawBody}` using your webhook secret (shown when you create the endpoint). Verify before trusting the payload, and reject stale timestamps.

js
import crypto from "node:crypto";

function verifyZubbyWebhook(req: Request, rawBody: string): boolean {
  const header = req.headers.get("X-Zubby-Signature") ?? "";
  const match = header.match(/^t=(\d+),v1=([a-f0-9]{64})$/);
  if (!match) return false;
  const [, timestamp, sig] = match;

  // Replay protection: reject anything older than 5 minutes.
  if (Math.abs(Date.now() / 1000 - Number(timestamp)) > 300) return false;

  const expected = crypto
    .createHmac("sha256", process.env.ZUBBY_WEBHOOK_SECRET!)
    .update(`${timestamp}.${rawBody}`)
    .digest("hex");

  // Constant-time compare to thwart timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(sig, "hex"),
    Buffer.from(expected, "hex")
  );
}

Reject anything older than 5 minutes

The signed timestamp is also echoed in the X-Zubby-Timestamp header. Reject requests where it differs from your server clock by more than 300 seconds — this prevents replay attacks even if a signature leaks.

Failures

Deliveries time out after 5 seconds; non-2xx responses count as failures. Deliveries are best-effort (no automatic retry today), and we track consecutive failures per endpoint: after 5 in a row we notify you in the dashboard inbox; after 20 in a row the endpoint is paused automatically. Fix the receiver and re-add it from Integrations → Webhooks.

Best-practice receiver

On the receiving side:

  1. Verify the signature before parsing.
  2. Persist the event by id before doing any downstream work — this makes the receiver idempotent.
  3. Return 2xx within 5 seconds. Defer heavy work to a queue (Kafka, SQS, or your DB) — don’t block our delivery worker.
  4. Log the full envelope for debugging.

Adjacent

  • REST API reference
  • Security & privacy

Was this page helpful?

Still stuck? Contact support with the URL of this page (/docs/webhooks).

PreviousREST API referenceNextSecurity & data handling

Footer

Zubby AI

The AI sales agent for Shopify and WooCommerce. Learns your store, guides shoppers in real time, and recovers the revenue you would have otherwise lost.

System status

Product

  • All Features
  • AI Sales Agent
  • Cart Rescue
  • Widget Designer
  • Multi-Language
  • Pricing
  • Changelog

Solutions

  • Solutions Hub
  • Cart Recovery
  • Product Discovery
  • 24/7 Support
  • Upsell + Cross-sell
  • Conversion Optimization

Industries

  • Fashion & Apparel
  • Beauty & Cosmetics
  • Electronics
  • Jewelry & Accessories
  • Food & Beverage
  • Health & Wellness

Integrations

  • Shopify
  • WooCommerce
  • All integrations
  • vs Rep AI
  • vs Tidio
  • vs Klaviyo
  • vs Gorgias

Resources

  • Documentation
  • Guides
  • ROI Calculator
  • Glossary
  • Answers (AI Q&A)
  • Blog
  • Case Studies

Company

  • About
  • Careers
  • Contact
  • Trust
  • Security
  • Status
  • Privacy
  • Terms

© 2026 Zubby AI, Inc. All rights reserved.

Built for merchants.Made with care.