Outbound webhooks
Real-time webhooks for PDF activity
The moment someone opens your proposal, downloads the report, or completes the lead form, FileDroppr sends a signed HTTPS POST to any endpoint you choose - your CRM, your own service, or a Slack channel.
Drop your PDF here
or click anywhere in the tray to browse
PDF only · max 20MB
Free to start · outbound webhooks are a Pro feature · add endpoints from Account settings
Every event, pushed
Views, downloads, completed gate forms, reader comments, receipt confirmations, and self-destruct burns - each one lands at your endpoint seconds after it happens. No polling, no refresh loop.
Signed like it matters
Every delivery carries an HMAC-SHA256 signature computed with your endpoint secret, Stripe-style. Your receiver can prove each POST really came from FileDroppr and is not a replay.
Retries until it lands
A failed delivery is retried automatically on an increasing backoff schedule. An endpoint that keeps failing is disabled - and you are told - rather than silently swallowing events forever.
Slack pings, no app install
Point a webhook at a Slack Incoming Webhook URL and pick the Slack format: events arrive as formatted Block Kit messages in your channel. Nothing from the Slack directory to install or approve.
What events can a webhook send?
A shared PDF generates moments you want to act on while they are still happening - a prospect opening the proposal, a lead completing the gate form, a one-time link burning itself. Each endpoint subscribes to exactly the events it cares about:
- Viewed. A reader opened the document. Fired per visit, carrying the file, the visit source, and the reader identity your plan reports - enough for a CRM to log who came back.
- Downloaded. A copy left the building. The event says which document, and which reader took it.
- Form completed. A reader passed the email gate or lead capture form. The payload carries the captured fields, ready to post straight into your CRM while the lead is still reading.
- Comment added. A reader left feedback on the document - private or public - so the right person can respond while the reader is still on the page.
- Receipt confirmed. A reader marked the document as received. Proof of delivery, pushed to wherever your audit trail lives.
- Link burned. A self-destructing link spent its view budget and deleted itself - the last event a link ever sends. Your readership record survives; the webhook tells you the moment the document went.
Verifying the signature
Every delivery includes a signature header in the same t/v1 style Stripe uses: a Unix timestamp and a hex digest, comma-separated. The digest is an HMAC-SHA256 of the timestamp, a dot, and the raw request body, keyed with the signing secret of the endpoint that received it.
To verify: read the timestamp and signature from the header, recompute HMAC-SHA256 over timestamp-dot-body with your secret, and compare your digest to v1 with a constant-time comparison. Reject anything whose timestamp is older than your tolerance - five minutes is typical - and forged or replayed deliveries never make it past the front door.
The signing secret is generated per endpoint and shown exactly once, at creation. Store it like a password; if it leaks or goes missing, rotate the endpoint and a new secret is minted.
Delivery, retries & housekeeping
A delivery is a POST to your HTTPS endpoint with a JSON body; any 2xx response counts as received. Anything else - a timeout, a 500, a dropped connection - is retried automatically with increasing backoff, so a deploy or a blip on your side costs you nothing. The event arrives when you are back.
An endpoint that fails every retry over a sustained run is disabled automatically, so it does not sit there absorbing events into the void - its status shows in Account settings and you can re-enable it once your side is fixed. Each account can register up to 10 endpoints, each with its own secret, its own event selection, and its own payload format.
Slack notifications in three steps
Slack support ships as a webhook format, not a Slack app - there is nothing from the app directory to install and nothing for a workspace admin to approve.
- Create a Slack incoming webhook. In Slack, add an Incoming Webhook to the channel where you want notifications. Slack hands you a unique URL for that channel.
- Paste the URL into FileDroppr. Add it as a webhook endpoint in Account settings, exactly as you would any other endpoint URL.
- Pick the Slack format. Choose Slack as the payload format and select your events. From then on, a view on your proposal becomes a formatted Block Kit message in the channel, seconds later.
Prefer no code? Use Zapier
If you would rather not run a receiving endpoint at all, the Zapier integration connects FileDroppr to 7,000+ apps with no code. It polls on a schedule rather than pushing in real time, which is fine for most notification and logging flows.
Webhooks are the real-time, developer-grade end of the same spectrum: push delivery, signed payloads, and your own code deciding what happens next. Browse all FileDroppr integrations for everything in between.
Webhook questions.
What are PDF webhooks?
A webhook is an HTTPS POST that FileDroppr sends to a URL you control the moment something happens to a document you shared - a view, a download, a completed gate form, a comment, a confirmed receipt, or a self-destruct burn. Instead of checking your readership dashboard, your systems are told in real time.
How do I get Slack notifications when someone reads my PDF?
Create an Incoming Webhook in Slack for the channel you want, paste its URL into FileDroppr as a webhook endpoint, and choose the Slack payload format. Events then arrive as formatted Block Kit messages in that channel. No Slack app install or workspace admin approval is needed.
How do I verify a webhook really came from FileDroppr?
Every delivery is signed with HMAC-SHA256 using your endpoint secret, in the same timestamp-plus-signature header style Stripe uses. Recompute the digest over the timestamp and raw request body, compare it to the v1 value in constant time, and reject stale timestamps - forged or replayed requests fail the check.
What happens if my endpoint is down?
Failed deliveries are retried automatically on an increasing backoff schedule, so an outage on your side just delays the event. An endpoint that keeps failing across the whole schedule for a sustained period is disabled automatically; its status shows in Account settings and you can re-enable it once fixed.
Which plan includes webhooks, and how many endpoints can I add?
Outbound webhooks - including the Slack format - are a Pro feature ($29/month, or $290/year). Each account can register up to 10 endpoints, each with its own signing secret, event selection, and payload format. If you want automation without code, the Zapier integration is available as an alternative.
Wire your documents into everything else.
Upgrade to Pro, add an endpoint or a Slack channel, and the next time someone opens your proposal your tools will know before you do.
See Pro pricingRelated: the developer API · PDF read tracking · lead capture forms · all integrations