Webhooks

Real-time event notifications for incoming SMS, WhatsApp, and Email messages.

Overview

RCSZilla can send HTTP POST requests to your server whenever specific events occur. This lets you build real-time integrations without polling.

Field	Description	Configured in
`incoming_sms`	A new SMS message was received by your Android device.	Devices → Control → Webhooks tab
`incoming_whatsapp`	A new WhatsApp message was received by your Android device.	Devices → Control → Webhooks tab
`incoming_email`	A new email arrived in an IMAP inbox linked to your SMTP server.	Email Servers → Edit → Incoming Email (IMAP) section
`test`	A test event sent manually from the UI.	Same as above

Setup

Incoming SMS / WhatsApp Webhook

Go to Devices and click the control icon for your device.
Open the Webhooks tab.
Enter your endpoint URL (must accept POST, return 2xx within 10 seconds).
Optionally set a Webhook Secret for HMAC signature verification.
Click Save, then Send Test Webhook to verify.

Incoming Email Webhook

Go to Email Servers and edit (or add) a server.
Expand the Incoming Email (IMAP) section.
Enable IMAP polling and fill in the IMAP host, port, encryption, and credentials.
Enter a webhook URL and optional secret.
Save. A cron job checks for new emails every 2 minutes.

Request Format

Headers

Header	Description
`Content-Type`	`application/json`
`User-Agent`	`RCSZilla-Webhook/1.0`
`X-RCSZilla-Event`	Event type: `incoming_sms`, `incoming_whatsapp`, `incoming_email`, or `test`
`X-RCSZilla-Delivery`	Unique delivery ID (use for deduplication)
`X-RCSZilla-Signature`	`sha256=<hex-hmac>` — only present if you set a webhook secret. The HMAC is computed over the raw JSON body using SHA-256.

incoming_sms / incoming_whatsapp

Fired when the Android app calls submit_reply with a new message.

JSON

{
  "event": "incoming_sms",
  "timestamp": "2026-05-27T14:30:00Z",
  "data": {
    "id": 209,
    "from": "+40712345678",
    "message": "Yes, I want to book an appointment",
    "channel": "sms",
    "device_id": 6,
    "contact": {
      "id": 42,
      "name": "John Doe",
      "phone": "+40712345678"
    },
    "auto_reply": "Thanks! We will get back to you shortly."
  }
}

Field

Field	Type	Description
`event`	string	`incoming_sms` or `incoming_whatsapp`
`timestamp`	string	ISO 8601 UTC timestamp
`data.id`	int	ID of the stored incoming message
`data.from`	string	Sender phone number
`data.message`	string	Message text
`data.channel`	string	`sms` or `whatsapp`
`data.device_id`	int	Device that received the message
`data.contact`	object\|null	Matched contact (id, name, phone) or null if unknown sender
`data.auto_reply`	string\|null	Auto-reply text sent back, or null if no rule matched

incoming_email

Fired when the IMAP cron finds a new email in the configured mailbox.

JSON

{
  "event": "incoming_email",
  "timestamp": "2026-05-27T14:30:00Z",
  "data": {
    "id": 310,
    "from_email": "customer@example.com",
    "from_name": "John Doe",
    "to_email": "support@yourbusiness.com",
    "subject": "Re: Your order #1234",
    "body_text": "Hi, when will my order arrive?",
    "received_at": "2026-05-27T14:28:00Z",
    "smtp_server_id": 5
  }
}

Field

Field	Type	Description
`data.id`	int	ID of the stored email
`data.from_email`	string	Sender email address
`data.from_name`	string	Sender display name
`data.to_email`	string	Recipient (your mailbox)
`data.subject`	string	Email subject line
`data.body_text`	string	Plain-text body (first 2000 chars)
`data.received_at`	string	Original receive timestamp
`data.smtp_server_id`	int	Which SMTP/IMAP server received this

Verifying Signatures

If you configure a webhook secret, each delivery includes an X-RCSZilla-Signature header. Verify it like this:

PHP

<?php
$payload = file_get_contents('php://input');
$secret  = 'whsec_your_secret_here';

$header    = $_SERVER['HTTP_X_RCSZILLA_SIGNATURE'] ?? '';
$expected  = 'sha256=' . hash_hmac('sha256', $payload, $secret);

if (!hash_equals($expected, $header)) {
    http_response_code(401);
    exit('Invalid signature');
}

$data = json_decode($payload, true);
// Process the event...
http_response_code(200);
echo json_encode(['ok' => true]);

Node.js

const crypto = require('crypto');

app.post('/webhook', (req, res) => {
  const payload = JSON.stringify(req.body);
  const secret  = 'whsec_your_secret_here';
  const sig     = req.headers['x-rcszilla-signature'] || '';
  const expected = 'sha256=' + crypto.createHmac('sha256', secret)
                                      .update(payload).digest('hex');

  if (sig !== expected) return res.status(401).send('Invalid signature');

  const { event, data } = req.body;
  console.log(`Received ${event}:`, data);
  res.json({ ok: true });
});

Python

import hmac, hashlib, json
from flask import Flask, request, abort

app = Flask(__name__)
SECRET = 'whsec_your_secret_here'

@app.route('/webhook', methods=['POST'])
def webhook():
    payload = request.get_data()
    sig     = request.headers.get('X-RCSZilla-Signature', '')
    expected = 'sha256=' + hmac.new(
        SECRET.encode(), payload, hashlib.sha256
    ).hexdigest()

    if not hmac.compare_digest(sig, expected):
        abort(401)

    data = json.loads(payload)
    print(f"Event: {data['event']}", data['data'])
    return {'ok': True}

Retry Policy

If your endpoint returns a non-2xx status code, times out (10 seconds), or is unreachable, the delivery is retried with exponential backoff:

Attempt	Delay
1st retry	1 minute
2nd retry	5 minutes
3rd retry	30 minutes
4th retry	2 hours
5th retry (final)	12 hours

After 5 failed attempts the webhook is marked as permanently failed. Successfully delivered webhooks are automatically cleaned up after 7 days. Failed deliveries are retained for 30 days.

List Webhook Deliveries

GET /?endpoint=webhook_deliveries

Returns a paginated list of webhook deliveries for the authenticated user, with status counts and optional filtering.

Query Parameters

Field	Type		Description
`status`	string	optional	Filter by status: `pending`, `processing`, `sent`, or `failed`.
`event_type`	string	optional	Filter by event type: `incoming_sms`, `incoming_whatsapp`, `incoming_email`, or `test`.
`limit`	int	optional	Results per page (1–100). Default: 20.
`offset`	int	optional	Pagination offset. Default: 0.

Example Request

cURL

curl "https://api.rcszilla.com/?endpoint=webhook_deliveries&status=pending&limit=10" \
  -H "Authorization: Bearer YOUR-API-TOKEN"

Response

JSON

{
  "success": true,
  "total": 42,
  "limit": 10,
  "offset": 0,
  "counts": {
    "pending": 3,
    "sent": 38,
    "failed": 1
  },
  "deliveries": [
    {
      "id": 156,
      "event_type": "incoming_sms",
      "webhook_url": "https://your-server.com/hook",
      "status": "pending",
      "attempts": 0,
      "max_attempts": 5,
      "http_status": null,
      "last_error": null,
      "next_retry_at": "2026-05-27T14:31:00Z",
      "created_at": "2026-05-27T14:30:05",
      "last_attempt_at": null
    }
  ]
}

Status Counts

The counts object gives you a quick overview of all webhook states without paginating through every delivery. Use it for dashboard widgets or health checks.

Field	Description
`pending`	Queued, waiting for next cron run or retry window.
`processing`	Currently being delivered by the cron worker.
`sent`	Successfully delivered (HTTP 2xx). Auto-cleaned after 7 days.
`failed`	All retry attempts exhausted. Auto-cleaned after 30 days.

Get Webhook Delivery

GET /?endpoint=webhook_delivery

Returns a single webhook delivery by ID, including the full payload that was (or will be) sent to your endpoint.

Query Parameters

Field	Type		Description
`id`	int	required	The delivery ID returned by `webhook_deliveries`.

Example Request

cURL

curl "https://api.rcszilla.com/?endpoint=webhook_delivery&id=156" \
  -H "Authorization: Bearer YOUR-API-TOKEN"

Response

JSON

{
  "success": true,
  "delivery": {
    "id": 156,
    "event_type": "incoming_sms",
    "webhook_url": "https://your-server.com/hook",
    "payload": {
      "event": "incoming_sms",
      "timestamp": "2026-05-27T14:30:00Z",
      "data": {
        "id": 209,
        "from": "+40712345678",
        "message": "Yes, I want to book",
        "channel": "sms",
        "device_id": 6,
        "contact": {
          "id": 42,
          "name": "John Doe",
          "phone": "+40712345678"
        },
        "auto_reply": null
      }
    },
    "status": "sent",
    "attempts": 1,
    "max_attempts": 5,
    "http_status": 200,
    "last_error": null,
    "next_retry_at": null,
    "created_at": "2026-05-27T14:30:05",
    "last_attempt_at": "2026-05-27T14:30:08"
  }
}

Use webhook_deliveries?status=failed to monitor broken endpoints, or status=pending to check the queue depth. The counts field in the list response is ideal for health-check dashboards.

n8n Integration

To receive webhooks in n8n:

Add a Webhook node to your workflow and copy its URL.
Paste that URL into the webhook URL field in {APP_NAME} (Devices → Webhooks or Email Servers → IMAP).
Test to confirm n8n receives the event.
Connect downstream nodes to process the data (e.g., send a Slack message, update a CRM, trigger a reply).

Cron Setup

Add these cron jobs to your server:

crontab

# Fire pending webhooks (every minute)
* * * * * /usr/bin/php /path/to/send_sms/cron/process_webhook_queue.php

# Poll IMAP inboxes for new emails (every 2 minutes)
*/2 * * * * /usr/bin/php /path/to/send_sms/cron/process_incoming_emails.php