Skip to main content
Webhooks let Cool Popup send real-time HTTP POST notifications to your server whenever a popup event occurs. Use webhooks to sync lead data to your own systems, trigger workflows, or log activity in your database.

Supported events

EventDescription
popup.shownThe popup was displayed to a visitor
popup.clickedThe visitor clicked the popup’s CTA button
popup.convertedThe visitor submitted the popup form
popup.closedThe visitor dismissed the popup

Setting up a webhook

1

Open Webhook settings

In your Cool Popup dashboard, go to Settings → Webhooks → Add Webhook.
2

Enter your endpoint URL

Paste your server’s endpoint URL. It must be a publicly accessible HTTPS address.
3

Select events

Choose which events you want to receive. You can select one or multiple events.
4

Save

Click Save. Cool Popup will send a test ping to your endpoint to confirm it’s reachable.
Only HTTPS endpoints are supported. HTTP endpoints are rejected and will not receive events.

Webhook payload

Cool Popup sends a JSON body with each request. Here is an example popup.converted payload: 
{
  "event": "popup.converted",
  "campaign_id": "camp_abc123",
  "campaign_name": "Summer Sale Popup",
  "timestamp": "2026-04-26T12:00:00Z",
  "visitor": {
    "email": "[email protected]",
    "fields": {
      "name": "Jane Smith",
      "email": "[email protected]"
    }
  },
  "page_url": "https://yoursite.com/products/summer-sale"
}
The payload fields are:
  • event — the name of the event that triggered the webhook
  • campaign_id — unique identifier for the campaign
  • campaign_name — the display name of the campaign
  • timestamp — ISO 8601 date and time when the event occurred
  • visitor.email — the visitor’s email address (present on popup.converted events)
  • visitor.fields — all form fields submitted by the visitor, as key-value pairs
  • page_url — the URL of the page where the event occurred

Responding to webhooks

Your endpoint must return an HTTP 200 status code within 5 seconds. If it does not respond in time, or returns a non-200 status, Cool Popup will retry the request up to 3 times with exponential backoff.

Validating webhook signatures

Always validate the X-CoolPopup-Signature header to confirm that requests genuinely come from Cool Popup and have not been tampered with.
Cool Popup signs every webhook request using HMAC-SHA256. The signature is computed from the raw request body using your webhook secret, and sent in the X-CoolPopup-Signature header. To validate:
  1. Read the raw request body (before parsing JSON).
  2. Compute an HMAC-SHA256 hash of the body using your webhook secret as the key.
  3. Compare the result to the value in the X-CoolPopup-Signature header.
  4. Reject the request if the values do not match.
Your webhook secret is available in Dashboard → Settings → Webhooks next to each configured endpoint.