
Support data rarely stays inside one tool. A conversation may need to create a CRM note, open a task, notify engineering, update a customer record, or feed a reporting pipeline. Some of that work should be pulled from the API. Some should happen the moment an event occurs. That is why Convor exposes both REST endpoints and outgoing webhooks.
Use the API as the stable boundary
Generate an API key in the dashboard and send it as a Bearer token. The key is scoped to an organization, so integration code should never assume a global default organization. This matters when one integration service handles several customers. Keep the organization boundary explicit and avoid building automations around browser sessions or dashboard-only behavior.
Cursor pagination is there for a reason
Conversation and message lists grow while you read them. Offset pagination can skip or duplicate records when new rows arrive between requests. Cursor pagination continues from a known point in the ordered stream. For integrations, that means you should store your cursor or high-water mark, process pages more than once safely, and assume the list is changing under you.
Webhooks are delivery attempts
A webhook is not a distributed transaction. Your endpoint may be down, slow, deployed, rate-limited, or temporarily misconfigured. Convor sends webhook work through a queue so the visitor does not wait for an external system. On your side, the receiver should verify the request, store the event, return quickly, and process the heavier work later.
Verify the signature
Every webhook includes an HMAC signature. Use the shared secret from the webhook settings and verify the raw request body when your framework allows it. Do not parse JSON, serialize it again, and verify the changed string. Whitespace and key order can change. If you support timestamp checks, reject old requests to reduce replay risk.
Expect duplicates
Reliable webhook delivery may send the same event more than once. Receivers should be idempotent. Store an event ID or build a deterministic key from the payload before creating downstream objects. If the same CRM note appears twice, the receiver probably missed deduplication. The safe pattern is simple: verify, store, acknowledge, then process.
Use REST when your system needs to ask for state. Use webhooks when your system needs to react. Most serious integrations use both, because each solves a different part of the problem.
Get new posts in your inbox
No spam. Unsubscribe anytime.


