Every scan. Every system. In real time.
ScanForge fires a signed HTTP POST on every scan event. Stream scans straight to your CRM, data warehouse, Zapier, or internal dashboards — with HMAC signature verification, automatic retries, and a full delivery log.
- Scan event fires on every redirect
- HMAC-SHA256 signature on every payload
- Automatic retry with exponential backoff
- Delivery log for every attempt
- Per-QR and per-workspace endpoints
- Works with Zapier, Make, n8n, and custom consumers
What's included
Scan event
Every time a dynamic QR is scanned, ScanForge sends a POST with the scan payload: code ID, timestamp, geo, device, referrer, and bot flag. Your handler can write to your DB, trigger a CRM update, or kick off a workflow.
Signature verification
Every payload is signed with HMAC-SHA256 using your webhook secret. Verify the header in your handler to confirm the request came from ScanForge and wasn't replayed or spoofed.
Automatic retries
If your endpoint responds with a 5xx or times out, ScanForge retries with exponential backoff for up to 24 hours. No scan is lost to a flaky downstream.
Delivery log
See every delivery attempt, the response code, the response body, and the retry state. Replay failed deliveries with one click.
Low-latency delivery
Webhooks fire within seconds of the scan. Downstream systems — your CRM, your marketing automation, your warehouse — stay in sync without polling.
Works with anything speaking HTTP
Zapier, Make, n8n, Pipedream, Workato, a Slack webhook, a Lambda function, an internal service — any URL that accepts POST. No SDK required.
Common questions
- Does ScanForge have QR scan webhooks?
- Yes. Every dynamic QR code can fire a signed HTTP POST webhook on every scan. The payload includes the code ID, timestamp, geo, device, referrer, and bot flag. Webhooks are included on the Business plan, with per-QR and per-workspace endpoint configuration.
- How do I verify a webhook came from ScanForge?
- Every payload is signed with HMAC-SHA256 using a secret you set when you register the webhook. ScanForge includes the signature in an X-ScanForge-Signature header. Your handler computes HMAC-SHA256 of the raw request body with the same secret and compares — a match confirms the request is authentic.
- What happens if my webhook endpoint is down?
- ScanForge retries with exponential backoff for up to 24 hours. Every attempt is logged with its response code and body so you can replay or debug. Permanent failures surface in the delivery log so nothing gets silently lost.
- Can I pipe scans into Zapier or Make?
- Yes. Configure your webhook to POST to a Zapier or Make catch-hook URL. From there you can fan out to Google Sheets, Salesforce, HubSpot, Slack, Notion, or any of the thousands of integrations those platforms support.
- What's the webhook payload look like?
- JSON with: event type (scan), code ID, timestamp (ISO 8601), geo object (country/region/city), device object (type/browser/OS), referrer, user-agent, destination URL the scan resolved to, and a bot flag indicating whether ScanForge classified this as human traffic. Full schema is in the API docs.
Related features
Every scan, wherever your stack lives.
7-day free trial — full access, no credit card required.