One reply, everywhere
your team already works.
Every event Warmbly fires rides one wire to your whole stack. A positive reply upserts your CRM, pings Slack, fires a Zap, and POSTs your own endpoint, all at once. Connect over OAuth, an API key, or a webhook URL, then build the rest on a signed stream.
One event. Every destination.
Integrations are not bolt-on connectors that each poll for changes. Every state change publishes one internal event, and each connected tool subscribes to what it cares about. A single positive reply reaches your CRM, your team chat, your automation platform, and your own server in the same beat.
campaign.reply_received Contact upserted, the reply logged as a timeline note.
A channel pinged with the prospect, mailbox, and thread.
Your Zap fires and branches across 8,000+ apps.
A signed POST lands on your own server in real time.
Three ways in. One connect drawer.
The method follows the provider, not the other way around. OAuth where there is a per-user identity, an API key for account-scoped tools and automation platforms, and a minted webhook URL for inbound bookings. The drawer surfaces the right one; the flow is the same every time.
A one-click authorization handshake. You approve scopes inside the provider, and Warmbly stores only the encrypted token. Revoke from either side at any time.
For account-scoped tools and automation platforms. Paste a provider key, or mint a scoped Warmbly key for Zapier, Make and n8n to authenticate against your data.
Warmbly mints an inbound URL per organization. Paste it into the provider, and their POSTs route to you by the secret in the path. Rotate it to invalidate instantly.
Eleven providers, four categories.
The whole directory the dashboard renders, in catalog order. Filter by what you are wiring up. Each tile shows the real authentication method, so you know what you will paste before you start.
Real-time alerts for positive replies, bounces, and deliverability.
Attribute booked meetings to the campaign that surfaced the lead.
Plus on-demand Google Sheets lead sync, which reads a spreadsheet into your contacts from the Contacts tab rather than the catalog.
A booked meeting knows which campaign earned it.
Calendly and Cal.com are two different webhook shapes. Warmbly normalizes both into one booking record, joins it to the contact and the campaign that surfaced the lead, and fires a reply event so the rest of your stack treats a booking like the win it is.
- One inbound URL per organization, minted for you. Paste it into the provider.
- invitee.created and BOOKING_CREATED become one record.
- Reporting credits the meeting to the sequence and mailbox that opened the door.
Not on the list? Subscribe to the stream.
21 event types, signed with HMAC-SHA256 in the same format Stripe uses, retried with capped exponential backoff, and recorded with full delivery history per endpoint. Subscribe to everything, or filter to the handful you act on.
- X-Warmbly-Signature: t=<unix>,v1=<hex> on every POST.
- Per-endpoint filter by event type.
- Rotate a secret and the old one dies immediately.
POST /your/webhook HTTP/1.1
X-Warmbly-Signature: t=1748443269,v1=9f2a…c1b7
{
"id": "f4a07e0c-a4b1-4dc8-9c5d-2c1b3e29c7b1",
"event_type": "campaign.reply_received",
"organization_id": "8c4e7c3d-…",
"created_at": "2026-05-28T14:21:09Z",
"data": { "trigger": "positive_reply", "campaign": "q1-outbound" }
} email_account.connected A mailbox finished onboarding. email_account.removed A mailbox left the workspace. campaign.email_sent A sequence step dispatched to a recipient. campaign.email_delivered The receiver acknowledged delivery. campaign.email_opened Open pixel resolved. Unreliable at scale. campaign.email_clicked A tracked link was clicked, deduped per recipient. campaign.email_bounced Hard or soft bounce. Suppression follows. campaign.reply_received A prospect replied, or a meeting was booked. campaign.unsubscribed One-click unsubscribe or a STOP reply. campaign.started Campaign moved into the running state. campaign.paused Auto-paused on a spike, or paused by hand. campaign.completed The last step dispatched for the last recipient. campaign.deliverability_warning A campaign tripped a deliverability guardrail. campaign.action A sequence action node executed. warmup.email_sent A warmup message went out to a pool partner. warmup.health_changed A mailbox moved between health states. warmup.placement_in_spam A warmup probe landed in junk. warmup.quarantined Mailbox dropped to the recovery pool. 7-day cooldown. warmup.blocked Mailbox hard-blocked from the pool. 30-day cooldown. deliverability.bounce An external bounce event was ingested. deliverability.complaint An external complaint event was ingested. What happens after we POST you.
A webhook you cannot trust or cannot recover is not a webhook. Every delivery is signed so you can verify it, retried so a blip never costs you an event, deduped so a retry never doubles up, and recorded so you can replay it.
X-Warmbly-Signature Every POST carries t=<unix>,v1=<hex>, the same scheme Stripe uses. Verify the digest before you trust the body.
up to 8 attempts A non-2xx doubles the wait each try, capped at one hour, then gives up. Nothing is dropped silently.
replay-safe Each delivery carries a stable id, and SKIP LOCKED keeps two replicas from fanning the same event out twice.
every attempt Status, response, and a body excerpt are recorded per attempt. Replay any delivery from the dashboard.
Credentials are sealed, not stored.
Integration credentials use the same encryption envelope as mailbox OAuth tokens. Per-organization data encryption keys are wrapped by AWS KMS, and plaintext keys are never written to disk.
AES-256-GCM with a per-organization data key wrapped by AWS KMS. Plaintext lives only in a TTL-bounded cache during active use.
CRM, automation and notification keys are never serialized back to the API. The dashboard sees only public display fields.
A leaked URL touches one organization. Rotating the secret invalidates the old path immediately.
Outbound webhook targets are HTTPS-only and blocked from obvious internal addresses. Self-hosted can opt into unsafe URLs.
Every state change Warmbly makes publishes one internal event. Connected integrations and your own webhook endpoints each subscribe to the event types they care about, and the fan-out runs on an internal queue. A single campaign.reply_received can upsert a HubSpot contact, ping Slack, fire a Zap, and POST your endpoint, all from one reply.
No, and on purpose. OAuth is used where the provider exposes a per-user identity: HubSpot, Salesforce, Pipedrive and Slack. Account-scoped tools like Close, and automation platforms like Zapier, Make and n8n, authenticate with an API key. Calendly, Cal.com and Discord use a webhook URL. The connect drawer picks the right method per provider.
The connection moves to a degraded state and the dashboard surfaces the provider error. Degraded connections stop attempting new fan-out until you rotate the key or re-authenticate, so a dead token never silently drops events on the floor.
Calendly POSTs invitee.created and Cal.com POSTs BOOKING_CREATED to the URL we mint. Both are normalized into one booking record, joined to the originating contact and campaign, and a campaign.reply_received fires with trigger=meeting_booked so downstream subscribers see which sequence earned the meeting.
Yes. A connection is unique per organization, provider and label, so you can hold a HubSpot connection per workspace or a Slack connection per channel, side by side.
Subscribe to the webhook stream and build it directly, or route it through Zapier, Make or n8n. The twenty-one event types cover every state transition Warmbly emits internally, each HMAC-signed in the same format Stripe uses.
Wire Warmbly into your stack.
Connect a provider in two clicks, or subscribe to the signed event stream and build the integration yourself.