Skip to content

Register a webhook

A webhook is a channel through which Zorio proactively pushes events (calls, leads, CDR, ...) to your URL in real time — instead of you polling the API.

How to register

No self-registration via API

For security and audit reasons (to prevent token abuse to redirect webhooks to an external URL), webhook registration is done only through the Admin Console UI. There is no public CRUD API.

5-step flow

  1. Log in to the Admin Console with an admin account.
  2. Go to Settings → Integrations → Webhooks (Admin Console).
  3. Click Create webhook and fill in:
    • URL — the HTTPS endpoint that will receive events (you deploy it).
    • Events — pick the events of interest (e.g. pbx.call.hangup, telesales.lead.updated).
    • Display name — to distinguish multiple webhooks.
  4. The system generates a secret (32 alphanumeric chars) — copy it now, you won't see it again.
  5. Deploy a receiver that verifies HMAC (see HMAC-SHA256 signing) and processes events.

Supported events

PBX (see PBX Webhooks)

EventFires when
pbx.call.ringingAn inbound call hits an extension and it's ringing
pbx.call.answeredThe extension picks up
pbx.call.hangupThe call ends — real-time from ESL
pbx.cdr.createdThe CDR pipeline has inserted the full row including recording_url

Telesales (see Telesales)

EventFires when
telesales.lead.createdA lead is inserted/imported
telesales.lead.updatedDisposition / custom fields change
telesales.call.disposedAn agent sets the outcome for a call
telesales.campaign.completedEvery lead in a campaign has been dialed

AutoCall (see AutoCall Webhooks)

EventFires when
autocall.campaign.started / paused / resumed / finishedCampaign lifecycle
autocall.lead.dialed / answered / dtmf_pressed / transferredLifecycle of a single call

Receiver URL requirements

  • HTTPS required (no plain HTTP).
  • Return HTTP 2xx within 5 seconds — anything slower is treated as a failure and retried.
  • Idempotent by X-Zorio-Delivery (UUID) — Zorio may retry the same event after a failure.
  • Verify HMAC before processing — see HMAC-SHA256 signing.

Test a webhook

The Admin Console has a Send test event button — it pushes a sample payload so you can debug your receiver without waiting for a real event.

Rotate the secret

If you suspect the secret has leaked:

  1. Open the webhook in the Admin Console → Rotate secret.
  2. The system mints a new secret — copy it and update your receiver.
  3. The old secret is disabled immediately — the next event is signed with the new secret.

Pause / Delete a webhook

  • Pause: configuration is kept, but no events are sent. Use this during receiver maintenance.
  • Delete: permanent; history is retained in the audit log but cannot be restored.

View delivery history

Every dispatched event has a delivery record kept for 30 days:

  • Endpoint, event, timestamp, receiver's response status.
  • Full payload + response body.
  • Retry count.

Browse at Admin Console → Webhook deliveries.

Cấp phép theo điều khoản sử dụng của Zorio.