Guide: Inbound Webhooks

Inbound webhooks let you send conversion events to CleanClicks from any external system: CRMs, marketing automation tools, Zapier, Make.com, n8n, or custom backends.

When to Use Inbound Webhooks

Use inbound webhooks when conversions happen outside the browser:

• CRM events: A lead is qualified in HubSpot, Salesforce, or your CRM
• Backend purchases: An order is completed through a custom checkout
• Phone calls: A call tracking system logs a completed call
• Form processors: A form submission is handled by a third-party system
• Manual events: Any event you want to push to CleanClicks programmatically

Endpoint

POST https://cleanclicks.yourdomain.com/__cc/inbound

Authentication

Include your API key in the X-CC-Api-Key header:

X-CC-Api-Key: cc_your_api_key_here

Create API keys in Configuration > API Keys tab. See API Keys.

Request Format

Send a JSON payload:

{
  "email": "customer@example.com",
  "event": "purchase",
  "value": 149.99,
  "currency": "USD",
  "orderId": "ORD-12345"
}

Required Fields

Optional Fields

Response

Success (200)

{
  "ok": true,
  "dispatched": ["googleads", "meta"]
}

The dispatched array shows which platforms received the event.

Error (400/401/500)

{
  "error": "Invalid API key"
}

How Attribution Works

When an inbound webhook arrives, CleanClicks:

1. Looks up the email address in its session database
2. If found, recovers the original visit's click IDs (gclid, fbclid, etc.), UTM parameters, and geographic data
3. Dispatches the event to all connected platforms with full attribution

This means a conversion that happens hours or days after the initial website visit still gets attributed to the correct ad click, as long as the same email was captured during the visitor's session.

If no prior session is found for the email, the event is still dispatched to ad platforms, but without click ID attribution. Platforms can still match via email using their own identity graphs.

Examples

Zapier

1. Create a Zap triggered by your CRM event
2. Add a Webhooks by Zapier action (POST)
3. URL: https://cleanclicks.yourdomain.com/__cc/inbound
4. Headers: X-CC-Api-Key: cc_your_key
5. Body: map fields from your trigger to the JSON format above

Make.com (Integromat)

1. Create a scenario with your trigger module
2. Add an HTTP Make a request module
3. Method: POST
4. URL: https://cleanclicks.yourdomain.com/__cc/inbound
5. Headers: X-CC-Api-Key: cc_your_key, Content-Type: application/json
6. Body: JSON with mapped fields

cURL (Testing)

curl -X POST https://cleanclicks.yourdomain.com/__cc/inbound \
  -H "Content-Type: application/json" \
  -H "X-CC-Api-Key: cc_your_api_key" \
  -d '{
    "email": "test@example.com",
    "event": "purchase",
    "value": 99.99,
    "currency": "USD"
  }'

Python

import requests

response = requests.post(
    "https://cleanclicks.yourdomain.com/__cc/inbound",
    headers={
        "Content-Type": "application/json",
        "X-CC-Api-Key": "cc_your_api_key"
    },
    json={
        "email": "customer@example.com",
        "event": "purchase",
        "value": 149.99,
        "currency": "USD",
        "orderId": "ORD-12345"
    }
)

print(response.json())

Node.js

const response = await fetch('https://cleanclicks.yourdomain.com/__cc/inbound', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-CC-Api-Key': 'cc_your_api_key'
  },
  body: JSON.stringify({
    email: 'customer@example.com',
    event: 'purchase',
    value: 149.99,
    currency: 'USD',
    orderId: 'ORD-12345'
  })
});

const data = await response.json();
console.log(data);

Security Notes

• Always use HTTPS. The endpoint enforces TLS.
• Keep API keys server-side. Never put them in browser JavaScript.
• One key per integration. Easier to revoke if compromised.
• Email is hashed automatically. You send the raw email; CleanClicks SHA-256 hashes it before relaying to ad platforms.

Related: API Keys | Connections Overview