WHK

Webhooks & API

Automations & Workflows Advanced Updated Mar 6, 2026

A complete guide to HighLevel's inbound and outbound webhooks plus the REST API. Learn how to send data to external services, receive data from external systems, authenticate API requests, and build custom integrations.

Get started quickly Follow the step-by-step setup checklist.

Webhooks and API

Webhooks and the REST API are the backbone of every custom integration you build in HighLevel. Outbound webhooks push data from your workflows to external services in real time. Inbound webhooks let external systems send data into your workflows to trigger automations. The REST API gives you programmatic access to contacts, conversations, calendars, payments, and nearly every other object in the platform.

What Webhooks and API Do

Webhooks and the API connect HighLevel to virtually any software in your stack by moving data between systems automatically.

Core integration surfaces:

  • Outbound Webhook (workflow action): Sends contact and event data from a workflow step to an external URL when a contact reaches that step
  • Custom Webhook (advanced workflow action): Sends fully configurable HTTP requests with custom methods (GET, POST, PUT, DELETE), headers, authentication, and JSON payloads to any external API
  • Inbound Webhook (premium workflow trigger): Receives data from an external system via an HTTP request and uses it to start a workflow
  • REST API (v2): A full set of endpoints for reading and writing data programmatically, authenticated with Private Integration Tokens or OAuth 2.0

Outbound webhooks are part of the Actions Library. Inbound webhooks are premium workflow triggers. The REST API is accessed outside workflows via HTTP requests from your own code, Postman, or integration platforms like Zapier and Make.

Key Configuration Options

Setting up an outbound webhook: Open your workflow in the Workflow Builder, click the + icon on the canvas where you want the webhook to fire, search for Webhook in the Actions panel, and select it. Enter a descriptive action name, choose POST as the HTTP method, paste the destination URL from the external service, and optionally add custom key-value pairs under Custom Data. The webhook automatically includes standard contact data: full name, email, phone, address, tags, and all custom fields.

Configuring Custom Webhook for advanced control: Select Custom Webhook from the Actions panel. Choose the HTTP method (GET, POST, PUT, DELETE), set the authentication method (Bearer Token, API Key, Basic Auth, OAuth 2.0, or No Auth with custom headers), and build the payload using dynamic values like {{contact.email}} or {{contact.id}}. Set the Content-Type header to application/json for JSON payloads or application/x-www-form-urlencoded for form data.

Setting up an Inbound Webhook: Create a new workflow or open an existing one, click Add New Trigger, and select Inbound Webhook. Copy the unique webhook URL displayed in the trigger configuration and paste it into your external system as the destination for outgoing data. Send a test request from the external system, then click Test Trigger in HighLevel. Select the received data from the list and click Save to store it as the mapping reference. Every field from the incoming payload becomes available as a custom value throughout the workflow.

REST API authentication: Use Private Integration Tokens for internal, single-location tools (generate a token in your sub-account or agency settings). Use OAuth 2.0 for public integrations, Marketplace apps, or any scenario that accesses multiple locations. API v1 has reached end-of-support. All new development should use API v2, documented at https://marketplace.gohighlevel.com/docs/.

Power Features

Inbound Webhook for contactless workflows: Inbound webhooks can run workflows without a contact. Actions that do not depend on contact data (such as Custom Webhook, Google Sheets, and internal notifications) will execute normally. If you need contact data later in the workflow, use the Create/Update Contact or Find Contact action to match incoming email or phone to an existing record.

OAuth 2.0 for production integrations: Private Integration Tokens are fine for internal tools, but OAuth 2.0 is more secure for public apps because tokens rotate automatically. Configure tokens in Global Workflow Settings > OAuth2 / Manage Tokens, then select the token in the Custom Webhook action.

Save response from webhooks: If the feature is enabled in your account, toggle Save response from this Webhook in the Custom Webhook action configuration. You can then reference the response data in subsequent workflow steps using custom values.

Rate limits for API: HighLevel enforces a burst limit of 100 requests per 10 seconds and a daily limit of 200,000 requests per day, both measured per Marketplace app per resource (Location or Company). Monitor your usage with the response headers: X-RateLimit-Limit-Daily, X-RateLimit-Daily-Remaining, X-RateLimit-Interval-Milliseconds, X-RateLimit-Max, and X-RateLimit-Remaining.

Pro Tips

  • Use descriptive action names like “Send Lead to Zapier” or “Update External CRM” so your workflow canvas is easy to scan.
  • Put secrets in headers, not URLs by passing API keys and tokens in the Authorization or custom header fields. Avoid placing credentials in query strings unless the provider requires it.
  • Test before publishing by running a test workflow with a sample contact and verifying the payload with a tool like webhook.site before going live.
  • Keep payloads lean by only sending the fields the receiving service actually needs. Smaller payloads reduce errors and speed up processing.
  • Secure inbound webhook URLs by treating them like passwords. If one is exposed, delete the trigger and create a new one immediately. A new URL is generated automatically.

Common Questions

What is the difference between the Webhook action and the Custom Webhook action?

The standard Webhook action sends a fixed POST request with contact data and optional custom key-value pairs. The Custom Webhook action gives you full control over the HTTP method, headers, authentication, content type, and raw JSON body. Use Custom Webhook when you need GET, PUT, or DELETE requests, or when the external API requires specific headers or authentication.

Can I use webhooks without a contact in the workflow?

Yes. Inbound Webhook triggers can run workflows contactless. Actions that do not depend on contact data (such as Custom Webhook, Google Sheets, and internal notifications) will execute normally. If you need contact data later in the workflow, use the Create/Update Contact or Find Contact action.

What authentication method should I use for the API?

Use Private Integration Tokens for internal, single-location tools. Use OAuth 2.0 for public integrations, Marketplace apps, or any scenario that accesses multiple locations. OAuth 2.0 is the recommended standard for production applications.

How do I troubleshoot a webhook that is not firing?

First, check the Execution Logs to see whether the action reached the webhook step. If it did, verify the destination URL, HTTP method, Content-Type header, and credentials. Send a test request to webhook.site to confirm the payload shape. Common issues include incorrect URLs, expired tokens, and mismatched Content-Type headers.

Can I trigger a workflow from an external app?

Yes. Use the Inbound Webhook trigger to receive data from any external service. You will get a unique webhook URL for each workflow. Send a POST request to that URL with JSON data, and the workflow fires immediately.

Back to GHL Features Table View Original Article

Stay sharp. New guides and playbooks as they drop.