How to use Webhooks

Only our Universal CRM API mirrors the Follow Up Boss API in terms of event names and payload structure. Our TMS (Transaction Management System) and LOS (Loan Origination System) Universal APIs do not mirror the Follow Up Boss API, but they do follow the same event structure and behavior for each entity type.

For each CRM entity—such as people, tasks, notes, etc.—we support standard lifecycle events:

• <entity>Created

• <entity>Updated

• <entity>Deleted

For example, to receive notifications when new people are added, you would subscribe to the peopleCreated event.

Note: At this time, we do not support all granular event types (such as peopleStageUpdated) that exist in Follow Up Boss itself except for the peopleTagsCreated event.

Event Payloads

Each webhook payload includes:

• eventId: A unique identifier for the event.

• eventCreated: Timestamp for when the event occurred.

• event: The event name (e.g., peopleCreated).

• resourceIds: List of IDs for affected records.

• uri: A direct URL to fetch the relevant records.

Example peopleCreated payload:

{
  "eventId": "0197cba6-834f-7000-b5ed-1813cd6efcbe",
  "eventCreated": "2025-07-02T15:19:21+00:00",
  "event": "peopleCreated",
  "resourceIds": [
    "0197cbb0-efe2-7000-9cc2-7b029bcf7a1e",
    "0197cbb1-2a8e-7000-b339-674c58902431",
    "0197cbb1-5816-7000-a3a4-90be8a6057c4"
  ],
  "uri": "https://crm.universal.rollout.com/people?ids=0197cbb0-efe2-7000-9cc2-7b029bcf7a1e,0197cbb1-2a8e-7000-b339-674c58902431,0197cbb1-5816-7000-a3a4-90be8a6057c4"
}

Security & Authenticity

To ensure webhook requests are genuinely from us, we include an X-Rollout-Signature header. This contains an HMAC SHA256 signature of the payload body, generated using your Rollout Client Secret as the key.

To verify a webhook:

1. Compute an HMAC SHA256 hash of the raw request body using your client secret.

2. Compare your hash to the value in the X-Rollout-Signature header.