Build · Webhooks
Webhooks
VisitorFlow signs every webhook payload with HMAC-SHA256 and retries with exponential backoff for 24 hours. Subscribe per event to keep payloads tight.
Subscribe to an endpoint
From the dashboard, go to Settings → API & webhooks → Endpoints. Add the URL, pick events, and copy the signing secret — you cannot recover it later.
Verify signatures
import crypto from 'node:crypto';
function verify(req, secret) {
const signature = req.headers['vf-signature'];
const ts = req.headers['vf-timestamp'];
const body = req.rawBody; // pre-JSON-parsed buffer
const expected = crypto
.createHmac('sha256', secret)
.update(`${ts}.${body}`)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected),
);
}Event payload
{
"id": "evt_2YZ4...",
"type": "visitor.checked_in",
"created_at": "2026-04-30T14:21:09Z",
"tenant_id": "tnt_01",
"data": {
"visit_id": "vis_2YZ4...",
"visitor": { "name": "Marisol Cruz", "company": "Acme" },
"host_id": "h_98412",
"location_id": "loc_mty_01"
}
}Retries & replay
We retry on any non-2xx response with exponential backoff (up to 24 hours). Failed deliveries appear in Webhooks → Deliveries with the response body and you can replay any of them with one click.
Available events
visitor.checked_invisitor.checked_outvisitor.no_showdriver.cargo_selecteddriver.dock_assignedhost.notifiedprereg.createdprereg.scannedwatchlist.matchincident.createdincident.resolvednda.acceptedbadge.printedlead.captured