Webhooks let Tormano talk to systems we don't have a built-in connector for.
Outgoing webhooks
Tormano POSTs to an external URL when something happens. Two ways to configure:
- As a workflow action — any workflow can include a "Send Webhook" action that POSTs the triggering record (and optional context) to a URL you provide.
- As a global subscription —
/settings/integrations/webhookslets you subscribe to event types (contact.created, deal.won, donation.created) and get a POST for every matching event.
The payload is JSON. Tormano signs every webhook with HMAC-SHA256 so the receiver can verify authenticity.
Incoming webhooks
External systems can POST to Tormano to trigger workflows. Settings > Integrations > Webhooks > Incoming lets you create a unique URL like https://yourorg.tormano.com/api/v1/webhooks/incoming/abc123 that receives JSON. Workflows can use the Webhook trigger type to fire on inbound POSTs and use the payload data.
Authentication
Outgoing webhooks: HMAC-SHA256 signature in the X-Tormano-Signature header. Verify on your side using the secret displayed when you created the subscription.
Incoming webhooks: option to require a Bearer token in the Authorization header. Without it, the URL is unauthenticated and only secured by URL obscurity.
Retry behavior
Outgoing webhooks retry up to 3 times with exponential backoff if the receiver returns 5xx or doesn't respond in 30s. After 3 failures, the event is marked failed in Settings > Integrations > Webhooks > Activity.