Skip to main content
This guide walks through subscribing to your first webhook event, receiving a test payload, and verifying the signature. By the end you’ll have a working endpoint that confirms contact.updated events end-to-end.
You need a FitProTracker account with organization admin access (or location admin if you’re scoping to a single location). If you don’t have that yet, contact your account owner.

1. Stand up a temporary endpoint

For initial testing we recommend webhook.site — it gives you a unique URL that captures incoming POSTs with their full payload and headers. Perfect for verifying delivery before you write your real handler.
1

Open webhook.site

Open webhook.site in a new tab. You’ll be auto-assigned a unique URL like https://webhook.site/8a3f....
2

Copy your unique URL

Keep this tab open — incoming requests will appear here in real time.

2. Register the subscription in FPT

1

Open Webhook Endpoints in the FPT admin

Navigate to Settings → Webhook Endpoints.
2

Click Add Endpoint

A dialog appears with three fields:
  • URL — paste your webhook.site URL
  • Events — check contact.updated
  • PII categories — leave at default for the quickstart
3

Save

The endpoint is now active. FPT will start delivering matching events within seconds of the next contact change at your location.
4

Grab your signing secret

Click the Generate Key button on your new endpoint row. The dialog shows a one-time secret — save it now (you’ll need it for signature verification later). You won’t be able to view it again; you can rotate it if lost.

3. Trigger an event

The fastest way to fire a real event right now: edit any contact in FPT and save. Any field change emits contact.updated. Within 5–10 seconds you should see a POST land on webhook.site.
A “Send test event” button is coming in a future release — it’ll let you fire a synthetic event without modifying real data. For now, editing a real contact is the way.

4. Inspect what you got

On webhook.site you’ll see a request with these key bits: 
POST / HTTP/1.1
Content-Type: application/json
X-FPT-Signature: t=1717023600,v1=a3f...

{
  "eventId": "9f1c7e2a8c4d4b1b9e3f5a6d7c8b9a0e",
  "eventType": "contact.updated",
  "eventTimestamp": "2026-06-10T23:45:00Z",
  "locationId": 1234,
  "organizationId": 5678,
  "apiVersion": "v1",
  "data": {
    "contactId": 9876,
    "operation": "update"
  }
}
That’s the full envelope. The shape is consistent across every event type — only the eventType and data fields vary by event.

5. Verify the signature

Now do this for real — using a small script. We provide samples in three languages on the Signature verification page; the one-liner concept: 
const expected = hmac_sha256(secret, `${timestamp}.${rawBody}`);
if (expected !== signature) throw new Error("invalid signature");
If the signature checks out, you have a verified, idempotency-keyable, partner-ready event handler. 🎉

Next steps

The envelope shape in full

Every field, every type, every quirk.

Idempotency contract

Why you must dedupe by EventId.

HMAC verification, in code

Production-ready samples in JS, Python, C#.

Event catalog

What each event means and what’s in its data.