About Webhooks in Fathom

Webhooks will send your meeting data (optionally including the summary, transcription, and action items) to a URL of your choice.
Please note: currently, your webhooks only fire for meetings you record—and not for meetings other users share to your Team. This behavior will evolve: stay tuned for updates!

Create a webhook

There are two ways to create a webhook:

Option 1 - in Settings

Webhooks can be configured in your User Settings.

Create a webhook in Settings

  • Head to: API Access > Add > Setup Webhook
  • Enter a Destination URL
  • Select which data to include in the payload

Option 2 - via API

You also have the option of creating and deleting webhooks with an API call. API docs: Create a webhook.
Be sure the check the response body to confirm the webhook was created as expected. Webhooks created via API will also appear in your Settings

Test Your Webhook

To ensure your webhook is working as expected, you can record a brief, 2-minute meeting. Shortly after the meeting ends, your Destination URL should receive a webhook event. For details on the webhook’s payload, see our API docs.
Coming soon: send a test payload from your Settings page

Verifying Webhooks

Webhook verification helps ensure that incoming requests to your endpoint are from Fathom and haven’t been altered. Each webhook request sent from Fathom includes a signature in the request headers, which you can use to confirm the authenticity of the payload.
To test webhooks locally or during development, you can skip verification—but don’t forget to add it back in before going live.

How to verify a webhook

Method 1 - SDK

If you’re using our SDK, you can use the verify_webhook helper. Simply call: 
client.verifyWebhook(webhook_secret, request.headers, request.body)
webhook_secret – Provided when you create the webhook (either in Settings or via the API). request.headers – The HTTP headers from the incoming request, which include the signature Fathom sends. request.body – The raw string body of the POST request.

Method 2 - Without the SDK

You can also verify incoming webhooks yourself using basic tools available in most programming languages. Every webhook payload from Fathom includes a webhook-signature in the header, with a version prefix and a base64-encoded value. Example: "v1,BKQR1BIFjiNPdfpqM3+FH/YckKhX7WIq4/KK6Cc5aDY=" View in docs To verify the request:
  1. Take the portion of the webhook-signature header after the comma (this may include multiple space-delimited signatures)
  2. Use your webhook_secret to hash the request body with HMAC SHA-256 (be sure to use the raw body, before any JSON parsing)
  3. Base64-encode your hash and compare it to each of the provided signatures
  4. If any one matches, the webhook is valid.
Example: 
const crypto = require('crypto')

function verifyWebhook(secret, headers, rawBody) {
  const [version, signatureBlock] = headers['webhook-signature'].split(',')
  const expected = crypto
    .createHmac('sha256', secret)
    .update(rawBody, 'utf8')
    .digest('base64')

  const signatures = signatureBlock.split(' ')
  return signatures.includes(expected)
}