Skip to main content
Webhooks in SigmaMind let you receive real-time notifications about events happening in your AI agents.
Whenever an event is triggered (e.g., a conversation starts or ends), SigmaMind will send an HTTP POSTrequest with a JSON payload to your configured webhook URL. This allows you to fetch conversation info from your agents in your own applications, CRMs, or monitoring systems.

How Webhooks Work

  • Each AI Agent can have its own webhook.
  • A single webhook URL can be reused across multiple agents.
  • When the selected event occurs, SigmaMind sends a signed JSON payload to your webhook endpoint.
  • Your system can then process this payload to perform actions like updating CRM records, triggering workflows, or logging analytics.
Think of webhooks as push notifications for your backend — you get updates instantly when something important happens in SigmaMind.

Supported Webhook Events

The following events are currently supported:
  • conversation_started – Triggered when a new customer conversation begins.
  • conversation_ended – Triggered when a conversation is closed or completed.
  • conversation_analysed – Triggered when call analysis is completed.

Creating Webhooks

You can create webhooks in two ways:

1. Using the Dashboard

You can configure webhooks from Agent Settings:
  1. Open the AI Agent you want to connect.
  2. Go to Agent Settings → Webhooks.
  3. Click on Add Webhook
  4. Provide the following details -
    • Webhook Name - Set the name you want to give this webhook.
    • URL - Enter a webhook URL. You’ll find this from your system where you want to receive the events from SigmaMind.
    • Hit Submit to add the Webhook.
      Webhook 1

2. Using the API

If you prefer programmatic control, you can use the Webhook API to register webhooks.
  • The name field is a human-readable identifier for your webhook.
  • The url is the endpoint in your system that will receive webhook events.
  • The agentId must correspond to an existing Agent in your SigmaMind account.
  • The events parameter lists which Agent events will trigger the webhook.
curl --location 'https://api.sigmamind.ai/v1/webhooks' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: key_C6HL3Goru7Q.TlI5kZOKPmDM03Gt39nRBEnxrL*******************' \
--data '{
    "name": "Test Webhook 1",
    "url": "https://your-server.com/webhooks/ai-agent",
    "agentId": "D5D0p7TUs66TTAEAx",
    "events": [
        "conversation_started",
        "conversation_ended"
    ]
}'

Security and Verification

🔑 Secret Generation

  • Each webhook is associated with a unique secret.
  • This secret is generated securely using a cryptographically strong random generator.
  • We store this secret encrypted at rest.
  • You should securely store this secret on your side — it is required to verify incoming webhooks.

📦 What We Send

Every webhook request includes:

Headers

HeadersDescription
x-webhook-signatureHMAC SHA256 signature of the request
x-webhook-timestampUnix timestamp (in seconds)
x-webhook-delivery-IdUnique delivery ID (for idempotency)
x-webhook-idWebhook identifier

Body

  • JSON payload (exact content used for signature generation)

🔏 How Signature is Generated

We compute the signature using: 
signature = HMAC_SHA256(secret, timestamp + "." + payload)
and send it as: 
x-webhook-signature: sha256=<hex_encoded_signature>

✅ How to Verify Webhook (Client Side)

To validate that the webhook is genuine:

Step 1: Extract values

  • signature from header
  • timestamp from header
  • payload (raw request body)

Step 2: Recompute signature

expectedSignature = HMAC_SHA256(secret, timestamp + "." + payload)

Step 3: Compare signatures

  • Remove prefix sha256= from header signature
  • Compare with your computed signature
  • Use constant-time comparison to avoid timing attacks

Step 4: Validate timestamp (Replay Protection)

  • Convert timestamp to current time
  • Reject if difference > 5 minutes
Example: 
if (abs(current_time - timestamp) > 300 seconds) → reject

Step 5: Handle idempotency

  • Use x-webhook-delivery-id to ensure the same event is not processed multiple times
Always use the raw request body (do not reformat JSON before verifying).
Do not trust the request if signature validation fails.
Keep your webhook secret secure (never expose in frontend code).

💡 Examples

payload = timestamp + "." + rawBody
computed = HMAC_SHA256(secret, payload)

if (!constantTimeEquals(computed, receivedSignature)) {
    reject request
}
Always verify signatures before processing webhook data to prevent spoofing attacks.

Summary

  • Webhooks notify your system in real time about Agent events.
  • You can create webhooks from the Dashboard or via the API.
  • A single webhook URL can be used across multiple AI Agents.
  • Supported events include conversation_started and conversation_ended.
  • Payloads are signed with a secret key for secure delivery.
Webhooks are the easiest way to integrate SigmaMind into your existing systems and automate workflows.