API and Webhooks in HighLevel

The API and webhooks are how HighLevel talks to everything else. If you need HighLevel to connect to a tool that does not have a native integration, this is how you build that bridge.

Reading time: approximately 9 minutes.

What Is the HighLevel API?

The HighLevel API is a REST API that gives developers programmatic access to the HighLevel platform. Instead of clicking through the interface, you can read, write, and manage data – contacts, appointments, pipelines, messages, payments – through code.

The current version is API V2, which uses OAuth 2.0 authentication. API V1 has reached end-of-support.

Existing V1 integrations may continue to function, but HighLevel will not provide updates or support for them. Any new integration should be built on V2.

The official documentation is at marketplace.gohighlevel.com/docs. The developer community hub, including the Dev Slack, documentation links, and event calendar, is at developers.gohighlevel.com.

Basic API access is included on Starter and Unlimited plans. Advanced API access – which includes Agency API keys and additional OAuth 2.0 endpoints – is available on the Agency Pro plan.

Authentication: OAuth 2.0 vs Private Integration Tokens

HighLevel V2 supports two authentication approaches. Choosing the right one depends on what you are building and who it is for.

Both token types are used the same way in API requests – as a Bearer token in the Authorization header. The difference is how you obtain and manage them, not how you use them in the request itself.

Token security matters. Always scope tokens to the minimum permissions needed.

Rotate Private Integration Tokens every 90 days. Never commit tokens to version control or share them publicly.

What API Endpoints Are Available

HighLevel API V2 covers the major areas of the platform. The full reference is at marketplace.gohighlevel.com/docs.

Rate Limits and Response Headers

HighLevel API V2 using OAuth enforces two rate limits to maintain platform stability.

The burst limit is 100 API requests per 10 seconds per Marketplace app per resource (Location or Company). The daily limit is 200,000 API requests per day per Marketplace app per resource.

Rate limit headers are included in every API response. Build your integration to read these headers and implement exponential backoff before hitting limits.

A 429 response code means the rate limit has been reached – the integration should wait before retrying.

For the SaaS Configurator API specifically, the global rate limit is 10 requests per second. Always check the specific rate limit documentation for each API area before building high-volume integrations.

Webhooks: Outbound and Inbound

HighLevel has two distinct webhook systems. They work in opposite directions and solve different problems.

Custom Webhook Action (Premium)

The Custom Webhook workflow action is the most flexible outbound option. It supports all four HTTP methods – GET, POST, PUT, DELETE – and five authentication types: Bearer token, API key, Basic Auth, OAuth2, and custom headers.

Dynamic contact fields and custom values can be mapped into the payload, headers, and query parameters.

If the receiving server returns a non-2xx response, HighLevel retries with exponential backoff. Errors show as failed actions in Execution Logs with details on the response code received.

Inbound Webhook Trigger (Premium)

The Inbound Webhook trigger is the entry point for data coming from external systems into HighLevel. When you add it as a trigger, HighLevel generates a unique URL for that workflow.

Any external system – Zapier, Make, a custom application, an e-commerce platform – can POST data to that URL to enroll a contact and fire the workflow.

The data fields in the incoming POST body become available as custom values inside the workflow, usable in conditions, actions, and message personalization.

System Webhooks

System webhooks are configured at the platform level in Settings → Webhooks. They fire automatically on specific HighLevel events – such as a new contact being created, a SaaS plan being added, or a payment being processed – and deliver the event payload to an endpoint you register.

HighLevel signs system webhook payloads with an HMAC SHA256 signature in the X-HighLevel-Signature header. Validate this signature on your receiving endpoint to confirm the request genuinely came from HighLevel.

What You Can Build With It

• Sync HighLevel contacts with an external CRM or database by using the Contacts API to push new contacts from HighLevel to another system on creation, or pull external records into HighLevel when a new customer is added elsewhere – keeping both systems in sync without manual data entry
• Trigger HighLevel workflows from external events using the Inbound Webhook trigger – an e-commerce platform fires a webhook when an order is placed, HighLevel receives it and immediately enrolls the buyer in a post-purchase onboarding workflow
• Send HighLevel contact data to external tools mid-workflow using the Custom Webhook action – when a lead reaches a qualification threshold in a nurture sequence, fire a webhook to your project management tool to create a client onboarding task automatically
• Build a custom client reporting dashboard by pulling HighLevel data via the API – query contact counts, pipeline stage distributions, appointment volumes, and payment totals into a custom dashboard that surfaces the metrics your clients actually care about
• Automate sub-account provisioning for an agency using the Locations API and SaaS Configurator API – when a new client signs up, programmatically create their sub-account, assign the right SaaS plan, and enroll them in onboarding workflows without manual setup
• Connect HighLevel to Zapier or Make without writing any code – use the outbound Webhook action to send data from a HighLevel workflow to a Zap, and use the Inbound Webhook trigger to receive data from a Zap and fire a HighLevel workflow, bridging HighLevel with thousands of apps through either platform
• Retrieve call logs and transcripts from Voice AI programmatically using the Voice AI Public APIs – pull call outcome data into external reporting systems or compliance archives without manually exporting from the HighLevel interface

Key Definitions

Use Cases by Industry

Marketing Agencies

An agency manages 40 client sub-accounts on HighLevel. When a new client signs a contract (Documents and Contracts trigger), a workflow fires a Custom Webhook action to the agency’s internal provisioning system.

That system calls the HighLevel Locations API to create the sub-account, assigns the SaaS plan via the SaaS Configurator API, and sends the client their login credentials – all without any manual setup by the agency team.

Outcome: New client sub-accounts are fully provisioned in minutes rather than hours. No setup steps are missed.

The agency team focuses on strategy rather than account administration.

E-Commerce

An e-commerce business uses Shopify for order processing and HighLevel for customer follow-up. When an order is placed in Shopify, Shopify sends a webhook to the HighLevel Inbound Webhook trigger URL.

HighLevel receives the order data – product name, order total, customer email – and immediately enrolls the customer in a post-purchase sequence: an order confirmation, a shipping update follow-up, and a review request seven days later.

Outcome: Every customer receives a timely, personalized post-purchase sequence triggered in real time by the order event, without any manual enrollment or Shopify-HighLevel native integration.

SaaS Companies

A SaaS company needs to sync its customer database with HighLevel. When a new user signs up on their platform, their backend sends a POST request to an HighLevel Inbound Webhook URL containing the user’s name, email, plan tier, and company name.

HighLevel creates a contact with those details, applies a tag matching the plan tier, and enrolls the user in the appropriate onboarding workflow for that plan.

Outcome: Every new user is in HighLevel within seconds of signing up, tagged correctly, and enrolled in the right onboarding sequence – without any manual import or CSV upload.

Real Estate

A real estate team uses a third-party MLS data provider that fires webhooks when a new listing matches a saved search for a buyer contact. That webhook hits the HighLevel Inbound Webhook trigger, passing the listing address, price, and photos URL.

HighLevel uses the data to send a personalized SMS to the buyer: “A new listing matching your search just hit the market.” The contact’s custom fields are updated with the listing details.

Outcome: Buyers receive real-time, personalized listing alerts from their agent powered by HighLevel – with no manual outreach required when a matching property appears.

Healthcare and Wellness

A healthcare practice uses a separate EHR system for patient records. After each appointment, the EHR fires a webhook to HighLevel containing the patient’s contact ID and appointment outcome.

HighLevel receives the data and uses an Inbound Webhook workflow to route the patient to the correct post-appointment sequence based on the outcome field – standard follow-up, specialist referral follow-up, or post-procedure recovery check-ins.

Outcome: Patient follow-up is personalized to the clinical outcome of each appointment automatically, without staff manually routing patients between communication sequences after each visit.

Who Is This For?

How to Set Up API and Webhooks in HighLevel

Step 1: Access the Developer Documentation

Visit marketplace.gohighlevel.com/docs for the full API V2 reference. Browse endpoint categories to identify what your integration needs.

For community support, join the HighLevel Dev Slack at developers.gohighlevel.com/join-dev-community.

Step 2: Create a Private Integration Token

Go to Settings → Private Integrations in your sub-account or agency. Click Create New Integration.

Name it descriptively. Select only the scopes your integration requires.

Copy the token immediately – it cannot be retrieved again. Store it securely.

Plan to rotate it every 90 days.

Step 3: Make Your First API Call

Use the token as a Bearer token in the Authorization header. Set the Version header to the required API version date.

Use an API client like Postman to test endpoints before writing code. Start with a simple GET request – for example, retrieving your location details – to confirm the token and headers are working correctly.

Step 4: Enable Premium Features for Webhooks

Go to Agency Settings → Workflow Premium Features and enable the toggle. Sub-accounts receive 100 free executions.

Rebilling can be enabled per sub-account to pass execution costs to clients at your chosen markup.

Step 5: Add a Custom Webhook Action to a Workflow

Inside a workflow, click + to add an action. Search for Custom Webhook.

Enter the destination URL, select the HTTP method, and configure authentication. Map contact fields and custom values into the payload.

Give the action a descriptive name. Save.

Step 6: Set Up an Inbound Webhook Trigger

Create a new workflow. Add a trigger and select Inbound Webhook from the Premium section.

Copy the unique URL HighLevel generates. Configure your external system to POST data to that URL.

The POST body fields are available as custom values in all downstream workflow actions.

Step 7: Test Before Going Live

Use Webhook.site or RequestBin to capture and inspect outbound webhook payloads before pointing them at production systems. For inbound webhooks, send a sample POST and check Execution Logs to confirm data was received and parsed correctly.

Fix any field mapping issues before enrolling real contacts.

Step 8: Apply Security Best Practices

Scope all tokens to minimum permissions. Never share tokens publicly.

Rotate Private Integration Tokens every 90 days using Rotate and Expire Later. Validate HMAC SHA256 signatures on system webhook endpoints.

Implement exponential backoff retry logic for API integrations to handle 429 rate limit responses.

Step 9: Monitor and Maintain

Check Execution Logs in workflows for failed Custom Webhook actions. Monitor rate limit response headers to stay ahead of daily and burst limits.

For high-volume integrations, spread requests across time windows rather than firing large batches simultaneously. Submit API feature requests or report documentation issues via the HighLevel GitHub repository.

How It Connects to the Rest of HighLevel

• Workflow Builder and Automation Engine – the Custom Webhook action and Inbound Webhook trigger are both workflow components. The Custom Webhook fires as a workflow action when a contact reaches that step. The Inbound Webhook is a workflow trigger that enrolls contacts when an external system sends data to the unique URL. Both live entirely inside the Workflow Builder.
• Advanced Workflow Builder – complex multi-trigger workflows that use both Inbound Webhooks and Custom Webhook actions benefit from the Advanced Builder’s freeform canvas, which makes the data flow between external systems and HighLevel action sequences easier to visualize and document.
• Tag-Based Automation – a common pattern is to use an Inbound Webhook to receive external event data, apply a specific tag inside the workflow, and then let that tag trigger a separate purpose-built workflow. This keeps the integration logic and the business logic in separate, maintainable workflows.
• Workflow Version History – workflows containing Custom Webhook or Inbound Webhook configurations are version-controlled the same as any other workflow. When a webhook URL or authentication configuration changes, restoring a previous version recovers the prior working configuration instantly.
• Multi-Channel Campaigns – Custom Webhook actions can be added to multi-channel campaign workflows to fire external notifications – for example, sending a Slack alert to a sales rep when a contact reaches a high-intent step in the campaign sequence.

Common Questions

To Wrap It Up

The HighLevel API and webhooks are the layer that connects HighLevel to everything else in a business’s tech stack. For most users, the no-code webhook tools in the Workflow Builder – the standard outbound webhook action and the Inbound Webhook trigger – handle the majority of integration needs without any API knowledge required.

The full REST API is for developers building custom tools, automating sub-account management at scale, or creating products on top of the HighLevel platform.

The single most important decision when starting an integration is choosing the right authentication method. Private Integration Tokens for internal tools.

OAuth 2.0 for anything you plan to distribute to other HighLevel accounts. Getting this right at the start prevents significant rework later.

1. Start with the Webhook.site testing approach before building any outbound webhook into production – seeing the exact payload HighLevel sends prevents hours of debugging field mapping issues after go-live
2. Scope all Private Integration Tokens to the minimum permissions needed – a token scoped to contacts.write cannot accidentally delete pipeline opportunities even if it is compromised
3. Implement exponential backoff retry logic on every API integration before launch – rate limit 429 errors are inevitable at volume and an integration without retry logic will simply fail silently
4. Validate HMAC SHA256 signatures on every system webhook endpoint you build – it is a five-line check that prevents your systems from processing forged webhook payloads
5. Rotate Private Integration Tokens before the 90-day mark using Rotate and Expire Later – the 7-day overlap window means zero downtime if you update connected systems promptly

A well-built HighLevel API integration runs quietly in the background and makes the entire business’s data ecosystem feel like one connected system rather than a collection of separate tools.