Webhook events
Configure webhook endpoints in Dashboard → Settings → Integrations to receive event notifications.
Verifying signatures
Every webhook request includes an X-LiveLayer-Signature header — an HMAC-SHA256 of the raw body keyed on your webhook secret.
ts
import { createHmac, timingSafeEqual } from "node:crypto";
export function verify(rawBody: string, signature: string, secret: string): boolean {
const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
const a = Buffer.from(expected);
const b = Buffer.from(signature);
return a.length === b.length && timingSafeEqual(a, b);
}
Always verify signatures before trusting webhook payloads. Anyone can POST to your endpoint URL.
Event catalog
| Event | Description | Payload |
|---|---|---|
| conversation.started | A visitor began a session with one of your agents | { id, agentId, visitorId, startedAt } |
| conversation.ended | Session ended (visitor left, timeout, or programmatic close) | { id, durationSeconds, endedAt, summary? } |
| conversation.message | A new message added to the transcript (visitor or agent) | { conversationId, role, content, at } |
| slide.advanced | Visitor moved to a new slide | { conversationId, fromSlide, toSlide } |
| slide.quiz_answered | Visitor answered a quiz block | { conversationId, slideId, value } |
| tool.invoked | Agent invoked a tool (your code may run on the receiving end) | { conversationId, tool, args, result } |
| visitor.identified | Visitor identity was resolved (FingerprintJS or your hook) | { visitorId, fingerprint, externalId? } |
Delivery and retries
- Events POST to your URL with
Content-Type: application/json. - Expected response:
2xxwithin 5 seconds. - On non-2xx or timeout, we retry with exponential backoff: 1m, 5m, 30m, 2h, 6h, 24h. After that, the event is dropped.
- Idempotency: every event has a unique
idyou can use to dedupe.