Send Toran leads to Zapier, Make, or n8n
Quick answer
Toran POSTs every captured lead — name, contact details, AI score, and tier — as a signed JSON webhook the moment it arrives. Point a Zapier Catch Hook at it and the lead lands in your CRM in seconds. The same webhook works with Zapier, Make, and n8n — and Zapier alone lists 5,000+ apps in its directory, so if your CRM exists, you can reach it.
Before you start
- A Toran Pro or Business plan — webhook egress is a paid-tier feature (see the plan table).
- A Zapier account (or Make / n8n — variant below).
- The CRM, sheet, or app you want leads to land in.
The recipe: Toran → Zapier → your CRM
-
1. Create a Catch Hook in Zapier. New Zap → trigger Webhooks by Zapier → event Catch Hook. Zapier shows you a unique webhook URL — copy it.
-
2. Paste it into Toran. Dashboard → your widget → Design → Chat & alerts → Outbound webhook. Paste the URL into the webhook field and save. Toran only accepts public HTTPS URLs.
-
3. Test it from the dashboard. Click Send test webhook right under the URL field. It fires a real signed POST through the exact production path and shows the result inline — Delivered ✓ or the precise failure reason. In Zapier, "Find new records" should surface the test request (event
lead.test, name "Test Lead") as sample data for mapping. -
4. Filter on
tier. Add a Filter by Zapier step: only continue iftierexactly matcheshot(add an OR rule forwarmif you want both). Tiers arehot,warm, andinfo. Prefer to filter before it ever leaves Toran? The dashboard's Send to webhook setting raises the floor server-side: all leads, warm + hot, or hot only. -
5. Map fields into your CRM action. Add your CRM's create-or-update step and map:
name,email,phoneto the contact;scoreandtierto a lead-priority field;sourceto "lead source";metadata.notes(what the visitor actually wrote) to the activity note;metadata.utm_source/utm_medium/utm_campaignto your attribution fields. Upsert onlead_idso retries never create duplicates — and add a filter soevent = lead.testnever writes a real CRM row.
Payload reference
Every delivery is a single JSON POST. Full receiver-side contract — signature verification code, retry semantics, endpoint requirements — lives in the docs; this is the field map you need for Zapier.
| Field | Type | Notes |
|---|---|---|
| event | string | lead.captured for real leads; lead.test for the dashboard test button. Branch on this before writing to your CRM. |
| lead_id | string (UUID) | Stable identity of the lead — your dedupe key. Test sends mint a fresh UUID per click. |
| widget_id | string (UUID) | Which widget captured the lead. |
| name | string | null | Visitor-supplied name. |
| string | null | Visitor-supplied. At least one of email / phone is always present — contactless chats never egress. | |
| phone | string | null | Visitor-supplied phone number. |
| score | number | null | AI lead score, 0–100. null means enrichment didn't finish — treat as unknown, not zero. |
| tier | string | null | hot, warm, or info — the classifier output at capture time. This is the field to filter on. |
| source | string | null | Page URL the lead came from (toran-dashboard-test on test sends). |
| timestamp | string | ISO 8601 UTC, set when the payload is built. |
| metadata | object | Lead context: notes (raw visitor free-text — treat as PII), utm_source, utm_medium, utm_campaign, company_name; test sends add test: true. New keys may appear — map what you need, ignore the rest. |
Request headers
| Header | Value |
|---|---|
| Content-Type | application/json |
| X-Toran-Signature | sha256=<hex> — HMAC-SHA256 of the raw request body, using the shared signing secret |
| X-Toran-Event | Mirrors the payload event field |
| User-Agent | Toran-Webhook/1.0 |
- Respond with any 2xx within five seconds to acknowledge (Zapier's Catch Hook does this automatically).
- Delivery is at-least-once: a failed attempt is retried once — dedupe on
lead_id. metadata.notesis raw visitor text — treat it as PII and never render it unescaped.- Use
tierandscorefor routing and prioritization, never as authentication.
The Make / n8n variant
Same webhook, different receiver — the Toran side never changes:
- Make: add a Webhooks → Custom webhook module, copy
its URL into Toran's webhook field, click Send test webhook so Make learns
the data structure, then add a Filter on
tierbetween the webhook and your CRM module. - n8n: add a Webhook node (method POST), use its production
URL in Toran, test the same way, then branch with an IF node on
tier(and oneventto routelead.testaway from real records). Self-hosted n8n keeps lead data entirely on your infrastructure.
Between them, Zapier, Make, and n8n connect to thousands of apps — Zapier's own directory lists 5,000+ — so "does Toran integrate with X?" is almost always "yes, via the webhook."
Frequently asked questions
Which Toran plans include the outbound webhook?
Webhook egress is included on Pro and Business. Every contact-bearing lead is POSTed to your URL the moment it's captured — score and tier attached — and the dashboard 'Send to webhook' setting lets you raise the floor to warm-and-hot or hot-only on the server side.
How do I keep test leads out of my CRM?
Branch on the event field. Real leads arrive as event = lead.captured; the dashboard's 'Send test webhook' button sends event = lead.test with obviously fake contact data and metadata.test = true. Add a Zapier Filter (or a Make router / n8n IF node) that only continues when event equals lead.captured.
How do I verify a request really came from Toran?
Every request carries an X-Toran-Signature header: 'sha256=' followed by the HMAC-SHA256 of the raw request body, computed with a shared signing secret (available to integration customers via support). Verify against the raw bytes you received — re-serializing the parsed JSON will break the digest. In no-code Zaps most teams skip verification and rely on the unguessable Catch Hook URL; verify the signature when your endpoint is your own code.
What if my CRM isn't in Zapier's directory?
The webhook is a plain signed JSON POST, so you don't need Zapier at all: point Toran straight at your own HTTPS endpoint, or use Make or self-hosted n8n. Anything that can receive a POST can receive Toran leads.
Can the same lead arrive twice?
Yes — delivery is at-least-once. A failed attempt is retried once, and operational re-sends can repeat a lead. Use lead_id as your dedupe key: upsert on it instead of blindly creating rows.
Why this beats polling your inbox
The webhook fires the moment a lead is captured, with the AI score and tier already attached — so your CRM, your Slack channel, and your follow-up sequence all start while the visitor is still on your site. Pair it with speed-to-lead routing and the first reply is yours.