Overview
Avoca can push events to your systems in real time via HTTPS webhooks. Webhook configurations are managed per team (or enterprise-wide) and deliver signed JSON payloads to an endpoint you control.Event webhooks are the push counterpart to the v1 leads feed — consumers can join the webhook stream to pulled lead records on
id / external_id.Event Types
| Event | Fires when |
|---|---|
voice_call.completed | A call ends and has been classified and saved |
lead.created | A new lead is recorded (from any intake source) |
lead.booking_created | A booking is created for a lead — one event per distinct CRM job |
lead.completed | A lead reaches the true end of its lifecycle (booked, unbooked, opted out, or failed) |
customer.communication_preference_changed | A customer opts in or out of SMS (STOP/START) |
Configuration
Webhook configurations are managed from the Avoca dashboard (or via the team-scoped configuration API):- Name — a label for the configuration
- Endpoint URL — your HTTPS endpoint (max 2048 chars;
https://required) - Events — which event types to subscribe to (at least one)
- Custom headers — optional name/value pairs sent on every delivery; individual headers can be marked encrypted (stored AES-GCM encrypted, never returned in plaintext)
- Include transcript / recording URL — opt-in flags controlling optional fields on
voice_call.completedpayloads - Lead source filter — optionally restrict
lead.*events to specific lead sources
Verifying Signatures
Every delivery is signed with the configuration’s webhook secret using HMAC-SHA256:| Header | Contents |
|---|---|
X-Webhook-Signature | sha256=<hex HMAC-SHA256 of the request body> |
X-Webhook-Timestamp | ISO 8601 timestamp of this delivery attempt |
X-Avoca-Event | The event type (e.g. lead.created) |
X-Avoca-Event-Id | Delivery ID (UUID) — stable across retries of the same event |
X-Avoca-Delivery | Same as the event ID |
X-Webhook-Signature using a constant-time comparison. The timestamp and signature are regenerated on each retry attempt, so also check X-Webhook-Timestamp freshness to reject replays.
Delivery & Retries
- Deliveries are
POSTrequests withContent-Type: application/jsonand a 10-second timeout. - Failed deliveries are retried 5 times with exponential backoff.
4xxresponses are treated as non-retriable (a misconfigured endpoint won’t be hammered);5xxand network errors are retried. - Use
X-Avoca-Event-Idfor idempotency — it is stable across retries of the same event. - Auto-pause: after 50 consecutive failures a configuration is automatically disabled (
disabled_reason: auto_paused_consecutive_failures). Any successful (2xx) delivery resets the counter. Re-enable from the dashboard once your endpoint is healthy. - Delivery logs are retained for 90 days.
Respond Quickly
Return a2xx as soon as you have durably received the event, and process asynchronously. Anything slower than 10 seconds counts as a failed attempt.