Webhooks Overview

When events occur in Hermon, Hermon sends an HTTP POST request to your registered endpoint URL. This allows you to react in real time — update your CRM, trigger automations, send notifications, and more.

How It Works

Every time something happens in Hermon (a contract is signed, a payment is made, etc.), Hermon immediately sends a POST request to each of your registered webhook endpoints. Your server should respond with a 2xx status code within 30 seconds to acknowledge receipt.

Method

POST

Content-Type

application/json

Timeout

30 seconds

Max Retries

5 attempts

Request Headers

Every webhook delivery includes these headers:

Header	Value	Description
Content-Type	application/json	Payload format
User-Agent	Hermon-Webhook/1.0	Identifies the sender
X-Hermon-Delivery-Id	Unique UUID	Stable across retries — use for idempotency
X-Hermon-Event-Type	CONTRACT_SIGNED	The event type string
X-Hermon-Signature	sha256=<hex>	HMAC-SHA256 signature for verification

Payload Envelope

All webhook payloads share a common JSON envelope. The data field contains the event-specific payload.

webhook-payload.json

{
  "event_type": "CONTRACT_SIGNED",
  "event_id": "evt_01j9abc123...",
  "org_id": "org_2abc...",
  "created_at": "2026-04-08T12:00:00.000Z",
  "data": { ... }
}

Event Types

Hermon emits 8 event types across contracts, payments, and appointments:

Event Type	Trigger
CONTRACT_SIGNED	A contract is signed by the client
CONTRACT_SENT	A contract is sent to the client
CONTRACT_VOIDED	A contract is voided
PAYMENT_PAID	A payment is marked as paid
PAYMENT_FAILED	A payment fails
APPOINTMENT_BOOKED	A new appointment is created (via Calendly or manually)
APPOINTMENT_CANCELLED	An appointment is cancelled
CALL_OUTCOME_LOGGED	A call outcome is set on an appointment

View full event type reference →

Signature Verification

Every request is signed using HMAC-SHA256. The signature is included in the X-Hermon-Signature header as sha256=<hex>.

Always verify the webhook signature before processing the payload. Processing unsigned or tampered payloads could expose your system to security risks.

View signature verification guide →

Retry Behavior

If your endpoint returns a non-2xx status or times out, Hermon retries the delivery up to 5 times with exponential backoff (5 min → 10 min → 20 min → 40 min → 80 min). After all attempts are exhausted the delivery is marked as FAILED.

View retry behavior →

Next Steps

Verify Signatures

Secure your endpoint

Event Types

Browse all payloads