Skip to main content
๐Ÿ”” Real-time Event NotificationsWebhooks allow Trackpilots to send real-time event data to your application whenever an event occurs.

โ€‹
๐Ÿ“Œ Overview

Webhooks enable your system to automatically receive event notifications from Trackpilots.
Whenever a selected event occurs, Trackpilots sends a POST request to your configured webhook URL with the event payload. You can create and manage webhooks from the Developer Tools section in the Trackpilots dashboard.

โ€‹
โž• Create a Webhook

Follow the steps below to create a new webhook:
  1. Open Developer Tools in your Trackpilots dashboard.
  2. Click Webhooks in the menu.
    ๐Ÿ‘‰ Direct link: https://app.trackpilots.com/developer-tools/webhooks
  3. Click the Create Webhook button in the top-right corner.
  4. Fill in the details:
    • ๐Ÿท๏ธ Webhook Name โ€“ Friendly name for identification
    • ๐ŸŒ Webhook URL โ€“ The endpoint where events will be delivered 
      https://yourdomain.com/webhooks/trackpilots
  5. Select the events you want to receive.
  6. Click Create.
๐ŸŽ‰ Your webhook is now active.

โ€‹
๐Ÿ“ก Supported Events

โ€‹
๐ŸŒ All Events

  • Enable this option to receive all available Trackpilots events.

โ€‹
๐Ÿ’ป Desktop Events

Currently supported desktop tracking events:
  • ๐Ÿ“ธ desktop.screenshot_tracking.captured
  • ๐Ÿง  desktop.app_tracking.captured
  • ๐Ÿ•’ desktop.activity_tracking.captured
Each event triggers a webhook call when captured.

โ€‹
โš™๏ธ Webhook Delivery Behavior

  • Trackpilots sends a POST request to your webhook URL
  • Payload is delivered in JSON format
  • Your server must return HTTP 2xx to confirm successful delivery

โ€‹
๐Ÿง‘โ€๐Ÿ’ป Sample Webhook Receiver (Node.js + Express)

Below is a secure Express.js webhook receiver with HMAC signature verification. 
import express from "express";
import crypto from "crypto";

const app = express();

// Webhook endpoint
app.post(
  "/webhooks/trackpilots",
  express.raw({ type: "application/json", limit: "50mb" }),
  (req, res) => {
    try {
      console.log("โœ… Webhook received successfully from Trackpilots...");

      // ๐Ÿ” Trackpilots webhook secret
      const webhookSecret = process.env.TRACKPILOTS_WEBHOOKS_SECRET_KEY;

      // Read headers
      const signature = req.headers["x-webhook-signature"];
      const timestamp = req.headers["x-webhook-timestamp"];

      if (!signature || !timestamp) {
        return res.status(400).send("Missing webhook signature headers");
      }

      // Raw body buffer
      const rawBody = req.body;

      // ๐Ÿ” Build payload for signing
      const payloadToSign = `${timestamp}.${rawBody.toString()}`;

      const expectedSignature = crypto
        .createHmac("sha256", webhookSecret)
        .update(payloadToSign)
        .digest("hex");

      // ๐Ÿ›‘ Verify signature
      if (signature !== expectedSignature) {
        return res.status(401).send("Invalid webhook signature");
      }

      // โœ… Verified โ†’ Parse event
      const event = JSON.parse(rawBody.toString());
      console.log("๐ŸŽฏ Verified Trackpilots Event:", event);

      // Respond success
      res.status(200).send("Webhook processed successfully โœ…");
    } catch (error) {
      console.error("โŒ Webhook processing error:", error);
      return res.status(500).send("Webhook processing failed");
    }
  }
);

// Start server
app.listen(3000, () => {
  console.log("๐Ÿš€ Webhook server running on http://localhost:3000");
});

โ€‹
๐Ÿ” Signature Verification Flow

Trackpilots secures webhooks using HMAC SHA256 signature validation to ensure authenticity and integrity.

โ€‹
๐Ÿ“ค Trackpilots Sends

Each webhook request includes:
  • ๐Ÿงพ x-webhook-signature
  • โฑ๏ธ x-webhook-timestamp
  • ๐Ÿ“ฆ Raw JSON request body

โ€‹
๐Ÿงฎ Your Server Generates

Your server must compute the expected signature:
HMAC_SHA256(timestamp + โ€.โ€ + body, WEBHOOK_SECRET)

โ€‹
โœ… Signature Match Rule

If the computed signature matches the received signature: ๐Ÿ‘‰ The webhook request is trusted and verified. This ensures the request is authentic and not tampered with.

โ€‹
๐Ÿงช Test Webhooks Locally

You can test Trackpilots webhooks in your local environment using ngrok.

โ€‹
๐Ÿš€ Start ngrok

ngrok http 3000
This exposes your local webhook server to the internet.

โ€‹
๐ŸŒ Set Webhook URL in Trackpilots

Use the generated ngrok public URL:
https://YOUR_NGROK_URL/webhooks/trackpilots
Paste this URL into the Webhook URL field in the Trackpilots dashboard.

โ€‹
โš ๏ธ Security Best Practices

โš ๏ธ Ensure High AvailabilityMake sure your webhook endpoint is publicly accessible and highly available to avoid missed events.
  • Validate incoming webhook payloads.
  • Log webhook requests for debugging and auditing.
  • Handle duplicate events gracefully.
  • Secure your endpoint using signature validation (recommended).
๐Ÿ›ก๏ธ Always verify webhook signatures: Never trust incoming webhook requests without validation.

โ€‹
๐Ÿ”’ Recommended Practices

  • Store webhook secrets in environment variables
  • Reject requests with invalid signatures
  • Log webhook events for auditing and debugging
  • Always use HTTPS
  • Apply IP allowlisting for enterprise-grade security

โ€‹
โœ… Summary

Webhooks enable real-time integrations with Trackpilots, including:
  • โš™๏ธ Automation workflows
  • ๐Ÿ“Š Analytics pipelines
  • ๐Ÿšจ Alert systems
  • ๐Ÿง  Productivity monitoring integrations
๐Ÿš€ More Events Coming SoonAdditional event types and webhook features will be added soon.
For custom webhook requirements, contact team@trackpilots.com.