A Webhook is created for a presentation through the webhooks admin screen.

If you want a form to be sent through the webhook, set the event category to data-capture.

Adding security to your webhooks

In the webhook configuration options, Mobile Locker allows you to specify a secret key to send along with each request to verify that the request is coming from Mobile Locker. We also send along an HMAC with each request using your secret key so that you can verify that the request body hasn't changed en route to your webhook URL. The secret key is included as an HTTP header named X-MobileLocker-Signature

  "environment": "production",
  "sender": {
    "id": 3,
    "first_name": "Mark",
    "last_name": "Stralka",
    "name": "Mark Stralka",
    "name_reverse": "Stralka, Mark",
    "email": "[email protected]",
    "verified": 1,
    "status": "Active",
    "phone": "+1 215-821-6450",
    "country": {
      "id": "US",
      "name": "United States"
    "timezone": "America\/New_York",
    "external_id": null,
    "photo_url": "https:\/\/www.gravatar.com\/avatar\/c90d44f533d302c9f64d8b83771f8c12.jpg?s=200&d=mm",
    "current_team_id": 1,
    "last_accessed_at": "2017-01-10T18:20:05+00:00",
    "created_at": "2016-11-25T22:14:52+00:00",
    "updated_at": "2017-01-10T18:12:28+00:00"
  "presentation": {
    "id": 404,
    "team_id": 1,
    "name": "Kazaamax Starter",
    "code": "kazaamax_starter",
    "status": "Active",
    "presentation_type": "HTML",
    "icon": "fa-html5",
    "description": "A starter presentation used for demos",
    "main_path": "index.html",
    "main_filename": "index.html",
    "thumbnail": null,
    "settings": {
      "ga_profile_id": null,
      "rotation_mode": "both",
      "legacy": {
        "hide_status_bar": false,
        "supports_rotation": false,
        "supports_zoom": false,
        "rotation_mode": "landscape",
        "menu_bar_taps": 2,
        "bounce_enabled": true,
        "bounce_zoom_enabled": true,
        "clear_cache_on_open": false,
        "clear_cache_on_exit": false
    "ga_profile_id": null,
    "files_hash": "79b959f38f925f540228cd725d0896bf773446cb",
    "files": [],
    "labels": [],
    "last_accessed_at": "2017-01-10T18:17:40+00:00",
    "created_at": "2017-01-06T19:26:35+00:00",
    "updated_at": "2017-01-10T04:05:52+00:00"
  "device": {
    "id": 667,
    "uuid": "*****************************",
    "icon": "fa-tablet",
    "status": "Active",
    "team_id": 1,
    "user_id": 3,
    "device_type": "iPad",
    "model": "iPad",
    "localized_model": "iPad",
    "name": "a1000.vorenusventures",
    "user_agent": "MobileLocker-iOS-10.2 v:3.00.33 App:ED3D1A0A-BFF5-49EB-8C21-81356149077A",
    "os_name": "iOS",
    "os_version": "10.2",
    "app_version": "3.00",
    "last_ip_address": "",
    "last_connected_at": "2017-01-10 18:20:05",
    "last_connected_at_timestamp": 1484072405,
    "created_at": "2017-01-05 18:52:57",
    "updated_at": "2017-01-10 18:17:25"
  "device_session": {
    "id": 45563,
    "uuid": "5A7044EE-A7FD-442A-AE9C-2AD1C5288DFA",
    "session_type": "normal",
    "device_id": 667,
    "user_id": 3,
    "team_id": 1,
    "presentation_id": 404,
    "ip_address": "",
    "num_events": 4,
    "num_forms": 3,
    "num_screenshots": 0,
    "started_at": "2017-01-10T18:17:40+00:00",
    "ended_at": null,
    "duration": null,
    "created_at": "2017-01-10T18:18:50+00:00",
    "updated_at": "2017-01-10T18:20:05+00:00"
  "device_event": {
    "id": 337538,
    "uuid": "02B3BEE0-34F8-443A-8AB6-1DE7E59A8851",
    "event_at": "2017-01-10T18:20:05+00:00",
    "category": "data-capture",
    "action": "signup-form",
    "path": "signup-form",
    "event_type": "normal",
    "data": {
      "data_type": "parsed",
      "data": {
        "signature": null,
        "name": "Mark",
        "email": "Stralka",
        "company": "[email protected]",
        "signatureJSON": null,
        "country": "US"
    "device_id": 667,
    "ip_address": "",
    "session_id": 45563,
    "user_id": 3,
    "team_id": 1,
    "presentation_id": 404,
    "created_at": "2017-01-10T18:20:05+00:00",
    "updated_at": "2017-01-10T18:20:05+00:00",
    "flattened_data": {
      "signature": null,
      "name": "Mark Stralka",
      "email": "[email protected]",
      "company": "Mobile Locker",
      "signatureJSON": 'base-64-encoded PNG, truncated for brevity',
      "country": "US"

To validate the request with the signature header value, you will need to encrypt the body of the webhook request with HMAC using the SHA256 hashing function and your shared key.

$postdata = file_get_contents("php://input");
list ($method, $signature) = explode('=', $_SERVER['HTTP_X_FS_SIGNATURE'], 2);

if (hash_hmac($method, $postdata, 'secretkey') === $signature) {
  // Verified