Skip to content

Webhooks

leadmaps hosts inbound webhook receivers for third-party event sources. Stripe is available today, and the receiver supports adding more sources over time.

POST /webhooks/:adapter/:siteId

For each inbound webhook the receiver:

  1. Verifies the inbound signature (per the source’s spec).
  2. Maps matched events to the leadmaps event shape.
  3. Forwards each mapped event into your site’s analytics.
POST /webhooks/stripe/:siteId
Stripe-Signature: t=...,v1=...

Verifies via Stripe’s official spec, HMAC-SHA256 with a 5-minute tolerance window.

Stripe eventMapped event
charge.succeededpurchase
customer.subscription.createdsubscription_created
customer.subscription.updatedsubscription_updated
customer.subscription.deletedsubscription_canceled

Unmapped Stripe types verify successfully and return 200 with zero events forwarded. This is deliberate. Stripe will not retry, and the mapping table can grow over time without breaking existing customers.

Each (site, adapter) pair has its own shared signing secret used to verify inbound signatures. A request for a site with no configured webhook returns 401 with the same generic envelope as everything else, so an attacker cannot enumerate tenants by status-code difference.

StatusWhen
200 { ok: true, forwarded: <n> }Verified successfully.
400Invalid signature OR malformed body. Stripe will not retry.
401Webhook is not configured for this site.
404Unknown adapter name.
500Event forwarding failed. Stripe will retry.

Webhook signing secrets are configured per site. Reach out at hello@leadmaps.nl to set up or rotate a secret for a source. Rotation keeps the previous secret valid for a short overlap window so in-flight webhooks are not dropped.

If you need to ingest from a source leadmaps does not have an adapter for, do it directly via the /s2s/events endpoint with your own server-side normalization. That bypasses the adapter layer entirely.