Incoming webhooks
- Created per-user in Developer resources with selected scopes (crm, tasks, etc.)
- The URL embeds the auth key: https://yourportal.bitrix24.com/rest/USER_ID/KEY/method
- Call any in-scope REST method: crm.lead.add, crm.deal.update, crm.item.list…
- Treat the URL as a password: never commit it, never log it, rotate on staff exit
Outgoing webhooks and events
- Subscribe to events like ONCRMLEADADD or ONCRMDEALUPDATE
- Bitrix24 POSTs event payloads to your handler URL with an application token to verify
- Payloads carry IDs, not full records — fetch details with a follow-up get call
- Handle at-least-once delivery: your processing must be idempotent
The production skeleton
Every reliable webhook integration has the same shape: authenticate the request, validate the payload, enqueue immediately (respond 200 fast), process from the queue with controlled concurrency, retry transient failures with backoff, dead-letter what keeps failing, and log every step. This is the architecture behind our WebhookShield module, and the difference between an integration and an incident generator.