Webhook Integration

Real-time event notifications to automate workflows and integrate with external systems

Overview

Webhook Integration enables Instafill.ai to send real-time HTTP POST notifications to your specified endpoint URLs when specific events occur (form completed, batch job finished, error encountered, etc.). Instead of polling the API repeatedly to check for updates, your system receives instant notifications the moment events happen, enabling reactive workflows, automated processing pipelines, and seamless integration with external systems like CRMs, document management systems, email platforms, or custom applications.

Webhooks are the foundation for building automated workflows: automatically email filled forms to clients, trigger next-step processes when submissions complete, update CRM records with form data, send Slack notifications to teams, or kick off document review workflows. The system delivers events reliably with retries, signature verification for security, and comprehensive logging for debugging.

Key Capabilities

Event-Driven Notifications: Receive instant notifications when events occur
Multiple Event Types: Form completed, batch finished, error occurred, user actions, etc.
Custom Endpoint URLs: Configure your own HTTPS endpoints to receive webhooks
Payload Customization: Choose which data to include in webhook payloads
Signature Verification: HMAC signatures ensure webhook authenticity
Automatic Retries: Failed deliveries retry with exponential backoff
Event Filtering: Subscribe only to relevant events
Webhook Logs: Track delivery status, payloads, and responses
Testing Tools: Test webhook endpoints before activating
Multiple Webhooks: Configure different endpoints for different event types
Conditional Triggers: Send webhooks only when specific conditions met

How It Works

Webhook Configuration:
- Navigate to Settings → Webhooks
- Click "Add Webhook"
- Specify endpoint URL: https://your-system.com/api/instafill-webhook
- Select events to subscribe: "form.completed", "batch.finished"
- Set secret key for signature verification
- Save configuration
Event Occurs: User fills form successfully
Webhook Delivery: System sends HTTP POST to your endpoint:

POST https://your-system.com/api/instafill-webhook
Headers:
  X-Instafill-Signature: sha256=abc123...
  X-Instafill-Event: form.completed
  Content-Type: application/json

Body:
{
  "event": "form.completed",
  "timestamp": "2024-02-16T10:30:00Z",
  "data": {
    "session_id": "sess_abc123",
    "form_id": "form_xyz789",
    "form_name": "Job Application Form",
    "completed_by": "[email protected]",
    "filled_pdf_url": "https://instafill.ai/download/sess_abc123.pdf",
    "field_data": {
      "applicant_name": "John Smith",
      "email": "[email protected]",
      "phone": "555-1234"
    }
  }
}

Your System Responds:
- Verify signature matches expected value (authentication)
- Process event data (store in database, trigger workflow, etc.)
- Return HTTP 200 OK (acknowledges receipt)
Retry Logic (if your endpoint unavailable):
- Attempt 1: Immediate
- Attempt 2: +1 minute
- Attempt 3: +5 minutes
- Attempt 4: +15 minutes
- Attempt 5: +1 hour
- Final: Mark failed, send admin alert

Use Cases

Webhooks are most valuable when a completed form needs to immediately trigger action in another system. Law firms use them to email filled intake forms to both the client and assigned attorney within seconds of submission, insurance agencies auto-create and assign CRM leads from completed applications, and government permitting systems chain multi-department handoffs where each stage—document storage, reviewer assignment, payment, permit issuance—automatically triggers the next.

Related Guide: Teams commonly configure webhook notifications to alert team members when filled PDFs are ready for review or submission.

Benefits

Real-Time Processing: React to events instantly, not via polling
Workflow Automation: Chain multiple systems together automatically
Reduced Latency: Sub-second event delivery
System Integration: Connect Instafill.ai to any HTTP-capable system
Scalability: Webhooks scale to thousands of events without API rate limits
Reliability: Automatic retries ensure delivery even during brief outages
Flexibility: Build custom integrations for any workflow

Security & Privacy

Webhook security features:

Authentication:

HMAC-SHA256 signatures verify webhook authenticity
Secret key known only to you and Instafill.ai
Prevent spoofed webhook attacks

HTTPS Required:

Webhooks only sent to HTTPS endpoints
TLS 1.2+ encryption in transit

IP Allowlisting:

Whitelist Instafill.ai webhook IPs
Block webhooks from other sources

Payload Filtering:

Choose which fields included in payload
Exclude sensitive data if needed
Send only form metadata, not field data

Access Control:

Only workspace admins configure webhooks
Webhook data is workspace-scoped and protected by the same authentication middleware as all API requests
Audit log tracks webhook configuration changes

Signature Verification Example (Python):

import hmac
import hashlib

def verify_webhook(payload, signature, secret):
    expected = hmac.new(
        secret.encode(),
        payload.encode(),
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(f"sha256={expected}", signature)

Common Questions

What events can trigger webhooks?

Comprehensive event types:

Form Events:

form.completed: Form filling session completed successfully
form.failed: Form filling session failed
form.abandoned: User started but didn't complete form

Batch Events:

batch.started: Batch processing job started
batch.completed: Batch job finished successfully
batch.failed: Batch job failed
batch.progress: Progress update (every 10% completion)

User Events:

user.invited: New user invited to workspace
user.joined: User accepted invitation
user.removed: User removed from workspace

Subscription Events:

subscription.upgraded: Plan upgraded
subscription.downgraded: Plan downgraded
subscription.canceled: Subscription canceled

Error Events:

error.occurred: System error during processing
quota.exceeded: Usage quota exceeded
payment.failed: Payment processing failed

Custom Events (Enterprise):

Define custom event types for organization-specific workflows

Event Filtering: Subscribe only to events you need - reduces noise and processing overhead.

What if my webhook endpoint is temporarily unavailable?

Robust retry mechanism:

Retry Schedule:

Immediate: First attempt when event occurs
+1 minute: If first attempt fails (network error, timeout, 5xx response)
+5 minutes: Second retry
+15 minutes: Third retry
+1 hour: Fourth retry
+6 hours: Final retry

Success Criteria:

HTTP 200-299 response code
Response received within 30 seconds

Failure Criteria:

HTTP 4xx/5xx error
Timeout (>30 seconds)
Network error (DNS, connection refused)

After Final Retry:

Event marked as "Failed"
Admin receives email notification
Event stored in webhook logs for 30 days
Can manually retry from webhook dashboard

Best Practice:

Implement idempotency: Handle duplicate webhook deliveries gracefully
Use event_id field to detect and ignore duplicates
Example: If event_id already processed, return 200 without re-processing

Monitoring: Webhook dashboard shows delivery success rate, helps identify systemic issues.

Can I test webhooks before activating them?

Yes! Comprehensive testing tools:

Test Webhook:

Configure webhook with endpoint URL
Click "Send Test Event"
System sends test payload to your endpoint
View response and delivery status in real-time

Test Payload Example:

{
  "event": "test.webhook",
  "timestamp": "2024-02-16T10:00:00Z",
  "data": {
    "message": "This is a test webhook from Instafill.ai"
  }
}

Testing Checklist:

✅ Endpoint URL accessible from internet
✅ HTTPS certificate valid
✅ Signature verification working
✅ Response time < 30 seconds
✅ Returns HTTP 200 OK

Local Testing (Development):

Use ngrok or similar to expose local dev server
Configure webhook with ngrok URL
Trigger test events, debug locally

Webhook Playground:

Web-based interface to construct and send test payloads
Modify event data to test edge cases
Useful for QA and development

Safety: Test webhooks don't affect production data or trigger real workflows.

How do I secure my webhook endpoint?

Multi-layered security approach:

1. Signature Verification (Required):

# Verify HMAC signature
import hmac
import hashlib

secret = "your_webhook_secret"
signature = request.headers["X-Instafill-Signature"]
payload = request.body

expected_sig = f"sha256={hmac.new(secret.encode(), payload, hashlib.sha256).hexdigest()}"

if not hmac.compare_digest(signature, expected_sig):
    return 401  # Unauthorized

2. IP Allowlisting:

Restrict webhook endpoint to Instafill.ai IPs only
IP ranges: 52.1.2.0/24, 54.3.4.0/24 (check docs for current ranges)
Firewall rule: Only accept from these IPs

3. HTTPS Only:

Never use HTTP endpoints
Valid SSL certificate required
TLS 1.2+ enforcement

4. Rate Limiting:

Limit webhook requests per minute from single IP
Prevents DOS attacks
Example: Max 100 webhooks/minute per source IP

5. Input Validation:

Validate event types: Only process expected events
Validate payload structure: Ensure required fields present
Sanitize data: Prevent injection attacks if storing in database

6. Idempotency:

Store processed event_ids
Reject duplicate events (replay attacks)
24-hour idempotency window

Example Secure Endpoint:

@app.route('/webhook', methods=['POST'])
def webhook():
    # 1. Verify signature
    if not verify_signature(request):
        return 401

    # 2. Check source IP
    if request.remote_addr not in ALLOWED_IPS:
        return 403

    # 3. Check idempotency
    event_id = request.json['event_id']
    if already_processed(event_id):
        return 200  # Acknowledge but don't reprocess

    # 4. Validate payload
    if not valid_payload(request.json):
        return 400

    # 5. Process event
    process_event(request.json)
    mark_processed(event_id)

    return 200

All layers together provide defense-in-depth security.

Can I configure different webhooks for different workspaces?

Yes! Flexible webhook routing:

Workspace-Level Webhooks:

Configure unique webhook URL per workspace
Example:
- Sales Workspace → https://crm.com/webhooks/sales
- Marketing Workspace → https://crm.com/webhooks/marketing
- Support Workspace → https://help.com/webhooks/support

Organization-Level Webhooks:

Single webhook receives events from all workspaces across the organization
Payload includes workspace_id field for routing
Useful for centralized event processing

Event-Specific Webhooks:

Different URLs for different event types
Example:
- form.completed events → CRM webhook
- batch.finished events → Data warehouse webhook
- error.occurred events → Monitoring system webhook

Conditional Webhooks:

Send webhooks only when conditions met
Example: Only send form.completed webhook if form total > $1,000
Reduces unnecessary webhook traffic

Configuration UI:

Select workspace
Add webhook
Choose scope: "This workspace only" or "All workspaces"
Select events
Set endpoint URL
Add conditions (optional)

Granular control ensures webhooks go where needed without noise.

Webhook Integration

Overview

Key Capabilities

How It Works

Use Cases

Benefits

Security & Privacy

Common Questions

Related Features

Ready to get started?

Webhook Integration

Overview

Key Capabilities

How It Works

Use Cases

Benefits

Security & Privacy

Common Questions

Related Features

Organization Management

Batch Processing

Form Filling Sessions

Autofill from Multiple Sources

Third-Party Integrations

RESTful API

Email Integration

Ready to get started?