Who Is This For?
Teams that want to:
Trigger CRM updates when a prospect engages with a demo
Log demo and sandbox activity in internal systems
Build automation workflows around demo engagement
Getting Started
Go to Organization Settings β Webhook
Click Create Webhook
Enter your endpoint URL and select the events you want to subscribe to
Save - your webhook is now active
Event Types
Event | Description |
| A tour session began |
| A tour session ended |
| A demo session began |
| A demo session ended |
| A sandbox session began |
| A sandbox session ended |
| A demo highlight was triggered |
Payload
Every webhook delivery sends a JSON POST request with the following body:
json
{
"event_id": "12345",
"event_type": "demo.session.started",
"delivery_id": "67890",
"data": { ... }
}Field | Type | Description |
| string | Unique identifier for the event |
| string | One of the event types listed above |
| string | Unique identifier for this delivery attempt |
| object | Event-specific payload data |
HTTP Headers
Every request includes the following headers:
Header | Example | Description |
| 42 | The webhook configuration ID |
|
| The event type |
| 67890 | Unique delivery attempt ID |
|
| UTC delivery timestamp (used in signature verification) |
|
| HMAC-SHA256 signature for request verification |
Verifying Webhook Signatures
We recommend verifying every incoming webhook to ensure it was sent by Demostack and not tampered with.
How it works: The signature is computed over the timestamp and raw request body, which prevents replay attacks. To verify:
Concatenate the
X-Demostack-Timestampheader value, a dot (.), and the raw request bodyCompute an HMAC-SHA256 using your webhook's signing secret
Compare the result to the
X-Demostack-Signatureheader
Example (Python):
import hashlib, hmac timestamp = request.headers["X-Demostack-Timestamp"]
message = f"{timestamp}.".encode("utf-8") + request.body
expected = "sha256=" + hmac.new(
signing_secret.encode("utf-8"),
message,
hashlib.sha256,
).hexdigest()
assert hmac.compare_digest(expected, request.headers["X-Demostack-Signature"])