Webhooks and API access are available on the Exchange (Enterprise) plan only. If you are on a Starter or Growth plan and want to explore these features, contact the MerchantAI team to discuss an upgrade.
Webhook events
MerchantAI can deliver real-time HTTP POST notifications to your endpoint when key events occur in a conversation. The following events are available:conversation.created
conversation.created
Fires when a new conversation session is opened — typically the moment a visitor sends their first message. Use this event to create a corresponding record in your CRM or helpdesk, tag the visitor’s session in your analytics platform, or start a real-time monitoring workflow.
lead.captured
lead.captured
Fires when the agent collects a visitor’s contact details (name, email address, or both) during a conversation. This is the most commonly used event for CRM integrations — pipe captured leads directly into your marketing automation tool, sales pipeline, or email platform the moment they are collected.
handover.triggered
handover.triggered
Fires when the agent determines that a human should take over the conversation. This can happen due to a low-confidence answer, a visitor explicitly asking for a human, or a trigger phrase matching your handover rules. Use this event to create a support ticket, send an internal Slack alert, or open a live-chat session in your helpdesk tool.
message.sent
message.sent
Fires each time the agent sends a message to a visitor. Use this event for detailed conversation logging, real-time transcript mirroring to an external system, or building custom analytics pipelines on top of raw message data.
Registering a webhook endpoint
Open Webhook settings in your dashboard
In the MerchantAI dashboard, navigate to Settings → Webhooks. This page lists all your registered endpoints and lets you add new ones.
Enter your endpoint URL
Paste the full HTTPS URL of the server endpoint that should receive webhook payloads. Your endpoint must be publicly reachable and must respond with an HTTP
200 status to acknowledge receipt.Select the events you want to receive
Check the boxes next to the event types you want this endpoint to receive. You can register multiple endpoints and subscribe each one to a different set of events.
Webhook payload structure
Every webhook request is an HTTP POST with a JSON body. Below is a representative example for thelead.captured event.
| Field | Type | Description |
|---|---|---|
event | string | The event type that fired (e.g. lead.captured) |
timestamp | string | ISO 8601 UTC timestamp of when the event occurred |
workspace_id | string | Your MerchantAI workspace identifier |
data | object | Event-specific payload; fields vary by event type |
Verifying webhook signatures
Every webhook request from MerchantAI includes anX-MerchantAI-Signature header. This header contains an HMAC-SHA256 signature computed over the raw request body using your webhook secret as the key. Verifying this signature on every incoming request ensures the payload genuinely originated from MerchantAI and has not been tampered with in transit.
To verify the signature:
- Retrieve your webhook secret from Settings → Webhooks in the dashboard.
- Compute
HMAC-SHA256(raw_request_body, webhook_secret). - Compare your computed value to the value in the
X-MerchantAI-Signatureheader using a constant-time comparison to prevent timing attacks. - Reject any request where the values do not match.

