ClientFlow
FeaturesPricingSecurityIntegrationsAbout
Sign InGet Started
Back to Help Center

Integrations

Configure outbound webhooks

Receive event payloads from ClientFlow into your own systems with HMAC verification and replay support.

Last updated 2026-04-26

Outbound webhooks let your systems react to events in ClientFlow in real time - new tasks created, invoices paid, members added, and more.

Add an endpoint

Go to Settings → Webhooks → New Endpoint:

  • URL - your HTTPS endpoint. HTTP is rejected.
  • Events - tick the events you want delivered. The full list:
    • project.{created,updated,deleted}
    • task.{created,updated,completed}
    • client.{created,updated}
    • invoice.{paid,overdue,refunded}
    • team.{member_added,member_removed}

Each endpoint gets a unique signing secret shown once after creation.

Verifying signatures

Every delivery includes an X-ClientFlow-Signature header containing sha256=<HMAC>. Compute the HMAC-SHA256 of the raw request body using your signing secret and compare in constant time:

import crypto from "crypto";

function verifyWebhook(rawBody, signatureHeader, secret) {
  const provided = signatureHeader.replace(/^sha256=/, "");
  const expected = crypto
    .createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(provided, "hex"),
    Buffer.from(expected, "hex"),
  );
}

Reject the request with 401 if the signature doesn't match. Always use a constant-time comparison; a regular === leaks timing information.

Retries

Failed deliveries (non-2xx response, timeout, or connection error) retry 3 times with exponential backoff (1s, 2s, 4s). After the final failure, the delivery is marked exhausted and visible in our admin DLQ - support can replay it once your endpoint is healthy.

4xx responses (other than 408 / 429) are classified as permanent failures - we don't retry, on the assumption that 4xx means a request your endpoint will never accept. Use 5xx for transient failures.

Test deliveries

Click Send Test Event on any endpoint to fire a synthetic webhook.test event. Lets you verify signature handling without needing to trigger a real workspace event.

Disable an endpoint

Click Disable to pause delivery without deleting the configuration. The endpoint stops receiving events but the signing secret stays the same when you re-enable.