Virtual Try-On Webhook: Send Every Lead to Any CRM, Securely
A virtual try-on captures the highest-intent moment in your store. The TryOnCloud webhook delivers that moment to whatever you run your marketing in: Zoho, Mailchimp, HubSpot, Salesforce, Zapier, or your own backend. It is real-time, signed, and built to the same security bar as Shopify and Stripe webhooks. Here is exactly how it works, and how to answer every question your engineering team will ask.
Most apps hand you a CSV and call it an integration. That is fine for a one-time import, but it is not how modern marketing runs. You want a shopper's try-on to reach your CRM within seconds, so your flows fire while intent is still hot. That is what a webhook is for: the instant a shopper completes a try-on and shares their email, TryOnCloud sends a signed HTTP request to your endpoint with the lead and the product they tried. No polling, no export, no delay.
What the Webhook Integration Does
TryOnCloud's outbound webhook turns every captured try-on lead into a real-time event delivered to a URL you control. You connect it once from the Leads tab inside your Shopify admin, and from then on every lead is pushed to your endpoint automatically. Because it is a plain, signed HTTP POST, it works with any system on the planet that can receive a request, which means you are never locked into one marketing tool.
In one sentence
When a shopper tries on a product and gives their email, TryOnCloud sends a signed, real-time webhook with that email and the product they tried to your CRM or automation tool, so you can trigger campaigns, build segments, and re-engage high-intent shoppers without lifting a finger.
Which CRMs and Tools You Can Connect
The webhook is intentionally generic. If your platform exposes an inbound webhook URL, or connects through an automation hub like Zapier or Make, TryOnCloud can deliver to it. Merchants commonly route try-on leads into these tools:
Inbound webhook or Zoho Flow
Via Zapier or Make
Workflows webhook trigger
Flow / inbound endpoint
Automation webhook
Inbound webhook
Via Zapier
Route to 5,000+ apps
Any HTTPS endpoint
For Klaviyo specifically, TryOnCloud offers a dedicated one-click integration that sends a native "Try-On Lead" event, covered in our Klaviyo integration guide. For everything else, the webhook is the universal connector. And if you prefer a bulk import, a CSV export of every lead is always available from the Leads tab.
How It Works, End to End
- 1Shopper completes a try-on:On your storefront, a shopper uploads a photo, sees themselves in your product, and submits their email at the prompt. This is consent to be contacted.
- 2TryOnCloud writes the event to a durable outbox:Before anything is sent anywhere, the lead is persisted to a durable queue in our database. This is the guarantee that nothing is ever lost.
- 3A background worker signs and delivers it:A worker picks up the event, signs it with your store secret, and POSTs it over HTTPS to your endpoint with the headers described below.
- 4Your endpoint verifies and acts:Your CRM or middleware verifies the signature and timestamp, then creates a contact, fires a flow, or adds the lead to a segment.
- 5Retries on failure:If your endpoint is unreachable, the worker retries with exponential backoff over many hours until it succeeds, so a brief outage never costs you a lead.
What Each Webhook Contains
Every delivery carries a small, signed JSON body and a set of headers your endpoint uses to verify and process it. The headers are the important part:
| Header | Purpose |
|---|---|
| x-tryoncloud-signature | HMAC-SHA256 of the raw body as sha256=<hex>. Verify this to prove authenticity and integrity. |
| x-tryoncloud-timestamp | Unix seconds when the event was sent. Reject if it is older than your tolerance to stop replays. |
| x-tryoncloud-delivery-id | A unique ID per delivery. Dedupe on it because delivery is at-least-once. |
| x-tryoncloud-event | The event type, for example lead_captured. |
| x-tryoncloud-shop | Your shop domain, so multi-store receivers can route correctly. |
The JSON body itself is deliberately minimal: the shopper's email, the product they tried (title and URL), the result context, and whether they were tagged in Shopify. No payment data, no uploaded photo, nothing sensitive beyond the email the shopper chose to share.
Webhook Security, Explained for Your Engineers
A webhook gives an external system a way to push data to you, so it has to be secured properly. This is the part a serious merchant's security team will scrutinize, and TryOnCloud is built to pass that review. Here is every control, with the plain-language reason it matters.
Authentication and integrity (HMAC-SHA256)
Every request is signed with HMAC-SHA256 over the raw request body, using a secret unique to your store, sent as x-tryoncloud-signature: sha256=<hex>. Your endpoint recomputes the HMAC and compares it with a timing-safe comparison. Without your secret, nobody can forge a valid request or tamper with the body undetected. This is the identical scheme Shopify and Stripe use.
Replay protection
Each delivery includes x-tryoncloud-timestamp. Reject anything older than your tolerance, for example 5 minutes, and dedupe on the unique x-tryoncloud-delivery-id so a captured request cannot be replayed against you.
Secret handling and rotation
The signing secret is AES-256-GCM encrypted at rest. It is never stored in plaintext, never logged, and never sent to the browser. It is shown once on connect. You can rotate it any time and disconnect instantly; old secrets stop working immediately.
Transport security
Deliveries are HTTPS only. TryOnCloud refuses to send to any non-HTTPS endpoint, so the payload is always encrypted in transit.
Tenant isolation
The shop is derived only from your verified Shopify session token, never from a client-supplied value. A store can configure and receive only its own events. No merchant can reach another merchant's webhooks.
Infrastructure hardening (SSRF)
TryOnCloud resolves the DNS of every destination and blocks private, internal, and loopback addresses, and it never follows redirects. The system cannot be abused to reach internal services.
Observability
Every delivery is logged per event with its status, attempt count, and last error, so failures are traceable. An in-app delivery log and replay button are on the roadmap; the underlying data is already captured.
Data and privacy
The payload is minimal: the shopper's email, which they consented to share, plus product and result context. You are the data controller and TryOnCloud is the processor. We honor Shopify's customers/redact and shop/redact webhooks, which purge the data on our side.
At-least-once
Delivery guarantee, not best-effort
Every event is persisted before delivery and retried until it lands. Combined with HMAC signing and replay protection, you get a webhook you can actually build a business process on.
Guaranteed Delivery and Retries
The most common reason teams distrust webhooks is silent loss: the sender fires once, your endpoint hiccups, and the event is gone. TryOnCloud removes that failure mode entirely with a durable outbox pattern, the same approach large payment systems use.
- Persist first, deliver second. The event is written to a durable queue before any network call, so a crash or outage cannot drop it.
- Exponential backoff. If your endpoint is down or returns an error, retries are spaced out over hours: 1 minute, 5 minutes, 30 minutes, 2 hours, 6 hours, then 24 hours.
- At-least-once, with dedupe. Delivery is guaranteed at least once. If a retry overlaps a slow success, dedupe on x-tryoncloud-delivery-id so you process each lead exactly once.
- Per-event logging. Each attempt records status, count, and last error, so you can see exactly what happened.
How to Verify a Webhook (Developer Guide)
Verification is five steps and works in any language. Hand this to your developers:
- 1Read the RAW request body. Do not re-serialize or parse-then-stringify it; the signature is over the exact bytes received.
- 2Compute hmac = HMAC_SHA256(rawBody, YOUR_SECRET) and hex-encode it.
- 3Compare it, using a timing-safe comparison, to the hex after sha256= in the x-tryoncloud-signature header.
- 4Reject the request if the comparison fails, or if x-tryoncloud-timestamp is older than your tolerance.
- 5Dedupe on x-tryoncloud-delivery-id, because delivery is at-least-once.
A minimal Node example of the core check:
import crypto from "crypto"
// rawBody is the exact bytes of the request body
const expected = crypto
.createHmac("sha256", YOUR_STORE_SECRET)
.update(rawBody)
.digest("hex")
const sent = req.headers["x-tryoncloud-signature"].replace("sha256=", "")
const ok = crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(sent)
)
if (!ok) return res.status(401).end() // forged or tampered
// also reject if x-tryoncloud-timestamp is too old, then dedupe on delivery-idHow to Connect It
- 1Install TryOnCloud on Shopify:Add the app from the Shopify App Store. The webhook is configured inside the app, in the Leads tab.
- 2Open Leads, then Integrations:Find the Webhook row in the Integrations table and click Connect.
- 3Paste your endpoint URL and copy the secret:Enter your HTTPS endpoint (your CRM's inbound webhook URL, a Zapier or Make catch hook, or your own server). Copy the signing secret shown once; store it securely.
- 4Verify on your side:Add the signature and timestamp checks above to your endpoint, or map the fields in Zapier or Make with no code.
- 5Go live:From now on, every captured try-on lead is delivered to your endpoint in real time, with guaranteed retries if anything is down.
That is the whole setup. No CSV juggling, no nightly sync, no lock-in. Your highest-intent shoppers reach your CRM the moment they engage, and you keep full control of where that data goes.
Frequently Asked Questions
The questions merchants and their engineering teams ask most before connecting a virtual try-on webhook to their CRM:
Frequently Asked Questions
Send Every Try-On Lead Straight to Your CRM
Install TryOnCloud from the Shopify App Store, connect the webhook in the Leads tab, and push real-time, signed leads to Zoho, Mailchimp, HubSpot, Salesforce, Zapier, or your own backend. Free on every plan.