Inbound Sources

Push data from Stripe, Typeform, or any webhook into Coeffection without handing out an API key. Each source is a signed, per-tenant endpoint that can only stage events — your own workflows decide what becomes a Contact, a Lead, or anything else.

How it works#

An external system signs a payload and POSTs it to your source's endpoint. Coeffection verifies the signature and writes the raw event to a staging table — it never creates CRM records directly. A workflow you author (triggered by External event) then maps the staged payload onto entities. You choose whether that happens instantly (Auto) or after a human reviews it (Review).

1 · Stage

Signed POST → raw event saved (no entity written)

2 · Dispatch

Your external_event workflow runs the mapping

3 · Create

Contact, Lead, … created via your rules

ℹ

Why not an API key? A raw write API is a broad, hard-to-revoke attack surface. Inbound Sources keep external systems sandboxed to a staging table; the mapping logic lives in yourtenant's workflows, versioned and revocable per source.

Create a source#

Go to Admin → Integrations → Inbound Sources → New.

Name & mode

Give the source a name (the slug is generated and is permanent). Pick Auto to process events on arrival, or Review to hold them in an inbox for a person to approve.

Target workflow

Choose the workflow that maps this source's events. Only workflows whose trigger is External event appear here — if you have none yet, the dropdown links you to create one.

Dedupe key

A JSON path to a unique id in the payload (default id). Replays of the same id are ignored, so a retrying sender never double-creates records.

Copy the signing secret

On save, the signing secret is shown once. Copy it into your sender's config — you can't see it again (rotate to get a new one).

Admin → Integrations → Inbound Sources

NameSlugModeWorkflow

Stripe — App Carestripe-app-careAutoPurchase → Lead

Typeform — Demo reqtypeform-demoReviewDemo → Contact

⚠

The signing secret is encrypted at rest and shown exactly once. If you lose it, use Rotate secret — this immediately invalidates the old one, so update your sender at the same time.

Describe the payload shape#

On the source's Payload Shape tab, paste a sample event and click Detect fields. Coeffection walks the JSON (including nested objects via dot-paths like customer.email) and lets you mark which fields show in the Review inbox and which is the dedupe key. The full raw payload is always stored — this just drives the inbox columns and the $event.* references your workflow can use.

Sign your requests#

Every request is authenticated with an HMAC-SHA256 signature over <timestamp>.<raw body>, sent in an x-webhook-signature header as t=<unix_seconds>,v1=<hex>. The timestamp must be within ±5 minutes (replays are rejected). The source editor gives you a copy-paste snippet; here are the essentials:

Node.js

import crypto from "node:crypto";

const SECRET = process.env.COEFFECTION_SIGNING_SECRET; // shown once on create
const ENDPOINT =
  "https://app.coeffection.com/api/ingest/<tenantId>/<sourceSlug>";

const body = JSON.stringify({ id: "evt_123", email: "ada@acme.com" });
const t = Math.floor(Date.now() / 1000); // unix seconds
const v1 = crypto
  .createHmac("sha256", SECRET)
  .update(`${t}.${body}`) // sign "<timestamp>.<raw body>"
  .digest("hex");

await fetch(ENDPOINT, {
  method: "POST",
  headers: {
    "content-type": "application/json",
    "x-webhook-signature": `t=${t},v1=${v1}`,
  },
  body,
});

Python

import hashlib, hmac, json, time, requests

SECRET = "..."  # shown once on create
ENDPOINT = "https://app.coeffection.com/api/ingest/<tenantId>/<sourceSlug>"

body = json.dumps({"id": "evt_123", "email": "ada@acme.com"})
t = int(time.time())
v1 = hmac.new(SECRET.encode(), f"{t}.{body}".encode(), hashlib.sha256).hexdigest()

requests.post(
    ENDPOINT,
    headers={"content-type": "application/json", "x-webhook-signature": f"t={t},v1={v1}"},
    data=body,
)

Sign the exact bytesyou send — don't re-serialize the JSON, since key order and spacing change the signature.

Map events with a workflow#

In the workflow builder, choose the External event trigger and pick this source. Then add Create entity actions that read payload values with $event.<path>. To link records, give a node a Store as name and reference its id downstream with $<name>.id.

Example: a purchase becomes a Contact + Lead

TriggerExternal event → stripe-app-care

Create Contactemail = $event.customer.email · store as "contact"

Create Leadcontact = $contact.id · amount = $event.amount

ℹ

The same mechanism works for any chain — create a Company, store it, then attach Contacts and Opportunities that reference $company.id.

Auto vs. Review#

Auto Hands-off

The workflow runs the instant a signed event arrives. Best for trusted, high-volume sources like completed purchases.

Review Human-in-the-loop

Events wait in the Inbound Inbox with your chosen columns. A teammate clicks Promote to run the workflow or Reject to discard. Best for demo requests, form fills, or anything needing a glance first.

Security & safeguards#

Staging-only by construction. The ingress endpoint physically cannot write CRM records — only your workflow can, under your rules.
System fields are off-limits. A payload can never set ownership or identity columns (tenant, owner, account, status, record id) — those are managed by Coeffection.
Tenant-scoped.The endpoint carries your tenant in the URL; a payload can't reassign an event to another tenant.
Per-event cap.One event can only create a bounded number of records, so a replay storm can't exhaust your data.
Revocable. Rotate a secret or deactivate a source at any time; in-flight requests with the old secret stop working immediately.

✓

Unknown source, bad signature, stale timestamp, or replay all return the same 401— there's no way to probe which tenants or sources exist.