Real-time event delivery
Receive notifications when LemonX workflows create, update, complete, fail or require review.
LemonX Webhooks let developers send real-time events from WordPress to external systems. When content is created, an AEO analysis finishes, a translation is queued, an MCP preview is applied, an indexing request is submitted, a report is generated or a license status changes, LemonX can notify your own apps, dashboards and automation tools.
Build event-driven workflows between LemonX, WordPress, CRMs, client portals, agency dashboards, analytics systems, Make, n8n, Zapier-style automations, Slack alerts and internal platforms.
Event-driven · Signed payloads · Retry-aware · Built for WordPress AI automation
LemonX Webhooks are outbound event notifications sent from a LemonX-powered WordPress site to an external URL. They allow other systems to react when important LemonX actions occur.
Instead of constantly polling the REST API to check whether something changed, your system can receive an event when the change actually happens.
Receive notifications when LemonX workflows create, update, complete, fail or require review.
Webhooks can cover AEO, Code, Verto, MCP, Pro, Cloud Gateway, reports, tasks and content workflows.
Connect LemonX to CRMs, client dashboards, analytics systems, Slack, Make, n8n, internal tools or custom apps.
Webhook payloads should be signed, timestamped and verified before your system trusts them.
AI-powered websites generate many events: new drafts, content previews, SEO analysis, translation tasks, indexing requests, MCP actions, report generation, usage changes and license updates. Without webhooks, external systems must repeatedly ask WordPress if anything changed.
Webhooks reverse that flow. LemonX tells your system when something important happens.
Send events from client WordPress sites to a central agency dashboard whenever content, SEO, translation, report or MCP activity changes.
Result: Your agency dashboard stays updated without constantly polling each client website.
Notify your team when important workflows finish, fail or require attention.
Result: Teams can act faster when AI, translation, indexing or report workflows need review.
Trigger an external approval system when AI creates a draft, proposes an update or generates a preview.
Result: Editors, clients or managers can review AI-generated changes before they are applied.
Send events when translations are queued, completed, failed or ready for human review.
Result: Global content teams can coordinate multilingual publishing across languages and regions.
Send MCP tool calls, applied previews and AI-driven changes to an external audit or security system.
Result: Developers and security teams can track what AI agents did inside WordPress.
Notify external systems when AEO analysis completes, indexing requests are submitted or search reports are generated.
Result: SEO teams can connect LemonX activity with reporting, project management and campaign tracking tools.
Send license, entitlement, quota and usage events to account dashboards or billing-related systems.
Result: Teams can monitor account access, plan limits and premium feature availability across sites.
LemonX Webhooks should follow the same product structure as the LemonX ecosystem. Each product can emit events related to its own workflows, while shared system events handle tasks, reports, licenses, usage and security.
Content events notify external systems when WordPress content changes through LemonX workflows.
AEO events notify external systems when search optimization workflows produce new results, recommendations or actions.
Code events notify external systems when AI-generated content, page structures, templates or migration tasks are created or updated.
Verto events notify external systems when content enters translation, translation completes, review is needed or multilingual SEO fields are generated.
MCP events notify external systems when AI clients connect, call tools, create previews, apply changes or encounter errors.
Pro and Cloud Gateway events notify external systems when account-level, license-level or cloud-connected states change.
Report events notify external systems when LemonX generates, updates or exports reports.
Task events help developers track workflows that may take time, such as translation, AI generation, OCR, indexing, reports, migration and cloud sync.
Security events notify external systems when authentication, permission, API key, webhook or MCP access changes.
Webhook payloads should be predictable, structured and easy for external systems to parse. Each event should include event type, delivery ID, timestamp, site identity, resource data and event-specific details.
{
"event": "mcp.preview_applied",
"delivery_id": "lx_delivery_123456",
"created_at": "2026-07-04T10:00:00Z",
"site": {
"id": "site_abc123",
"url": "https://example.com",
"name": "Example WordPress Site"
},
"actor": {
"type": "user",
"id": 12,
"role": "administrator"
},
"source": {
"product": "mcp",
"client": "claude_desktop",
"tool": "preview_apply"
},
"resource": {
"type": "page",
"id": 245,
"url": "https://example.com/services",
"title": "Services"
},
"data": {
"preview_id": "lx_preview_789",
"action": "content_update",
"status": "applied"
}
}X-LemonX-Event: mcp.preview_applied X-LemonX-Delivery: lx_delivery_123456 X-LemonX-Timestamp: 1783178400 X-LemonX-Signature: sha256=... X-LemonX-Site: site_abc123 X-LemonX-Version: 1 User-Agent: LemonX-Webhooks/1.0
The event type, such as content.updated or verto.translation_completed.
A unique ID for this delivery attempt. Use it for deduplication and debugging.
The time the webhook was sent. Use it to prevent replay attacks.
A signature generated using the webhook secret. Verify it before trusting the payload.
The site identity associated with the event.
The webhook payload version.
A webhook endpoint is a public URL that receives data from LemonX. Because public URLs can receive requests from anyone, your system should verify every delivery before processing it.
Webhook endpoints should use HTTPS. Do not send sensitive event data to plain HTTP endpoints.
Each webhook should include a signature generated with a shared secret. Your system should recreate the signature and compare it securely.
Reject webhook deliveries with old timestamps to reduce replay attack risk.
Store processed delivery IDs so repeated attempts do not trigger duplicate actions.
Only process event types your system expects.
Do not assume every payload is valid. Check required fields before processing.
Rate limit webhook endpoints, reject invalid signatures and log suspicious requests.
The exact implementation may vary, but the general pattern is the same: combine timestamp and raw payload, generate an HMAC signature using the shared secret, then compare it to the signature header.
signed_payload = timestamp + "." + raw_body expected_signature = HMAC_SHA256(webhook_secret, signed_payload) compare expected_signature with X-LemonX-Signature
function verify_lemonx_webhook( $raw_body, $timestamp, $signature_header, $secret ) {
if ( empty( $raw_body ) || empty( $timestamp ) || empty( $signature_header ) || empty( $secret ) ) {
return false;
}
$tolerance = 300;
if ( abs( time() - (int) $timestamp ) > $tolerance ) {
return false;
}
$signed_payload = $timestamp . '.' . $raw_body;
$expected = 'sha256=' . hash_hmac( 'sha256', $signed_payload, $secret );
return hash_equals( $expected, $signature_header );
}A LemonX workflow produces an event such as translation completed, MCP preview applied or report generated.
LemonX checks which webhook endpoints are subscribed to that event type.
LemonX builds a structured JSON payload with event details.
LemonX signs the payload using the webhook secret.
LemonX sends an HTTP POST request to the configured endpoint.
Your system checks signature, timestamp, event type and payload structure.
Your endpoint returns a 2xx response if the event was accepted.
If delivery fails, LemonX may retry according to retry rules.
LemonX stores delivery status for debugging and visibility.
Webhook endpoints can fail for many reasons: network issues, downtime, rate limits, deployment windows or temporary errors. LemonX should support retry behavior for failed deliveries.
LemonX should provide a way to create, test, disable, delete and inspect webhooks. This can be available through the WordPress admin UI, REST API or Cloud Gateway depending on the product configuration.
Developers can use REST API endpoints to register and manage webhooks. These endpoint names are examples and should match the final LemonX implementation.
GET /wp-json/lemonx/v1/webhooks
POST /wp-json/lemonx/v1/webhooks
GET /wp-json/lemonx/v1/webhooks/{id}
PATCH /wp-json/lemonx/v1/webhooks/{id}
DELETE /wp-json/lemonx/v1/webhooks/{id}
POST /wp-json/lemonx/v1/webhooks/{id}/test
POST /wp-json/lemonx/v1/webhooks/{id}/rotate-secret
GET /wp-json/lemonx/v1/webhooks/{id}/deliveries
POST /wp-json/lemonx/v1/webhooks/deliveries/{delivery_id}/resend{
"name": "Agency Dashboard",
"url": "https://agency.example.com/lemonx/webhook",
"events": [
"content.updated",
"aeo.analysis_completed",
"verto.translation_completed",
"mcp.preview_applied",
"report.generated"
],
"status": "active"
}{
"success": true,
"data": {
"id": "wh_123",
"name": "Agency Dashboard",
"url": "https://agency.example.com/lemonx/webhook",
"status": "active",
"events": [
"content.updated",
"aeo.analysis_completed",
"verto.translation_completed",
"mcp.preview_applied",
"report.generated"
],
"secret_preview": "whsec_****abcd"
}
}A busy WordPress site can produce many events. Developers should avoid sending every possible event to every endpoint. Instead, create focused webhook subscriptions.
content.updatedaeo.analysis_completedverto.translation_completedreport.generatedlicense.status_changedmcp.tool_calledmcp.preview_appliedsecurity.api_key_createdsecurity.permission_changedsecurity.webhook_failedverto.translation_queuedverto.translation_completedverto.translation_failedverto.translation_review_requiredreport.generatedreport.exportedreport.failedtask.failedusage.recordedusage.quota_warningusage.quota_exceededlicense.expiredentitlement.updatedUse a staging endpoint or webhook inspection tool during development.
Use the LemonX webhook test action to send a sample payload.
Make sure your receiver correctly verifies timestamp and signature.
Return a temporary 500 response and confirm retry behavior.
Send the same delivery ID twice and confirm your system does not process it twice.
Confirm your endpoint receives only the events it subscribed to.
Use separate webhook secrets for staging and production.
Webhooks make it possible to connect LemonX workflows with automation platforms. When a LemonX event occurs, the automation platform can receive the payload and trigger the next step.
Do not process unsigned or invalid webhook requests.
Webhook deliveries may be retried. Use delivery IDs to prevent duplicate processing.
Return a response as soon as possible. For slow work, queue the job in your own system.
Only subscribe to events your endpoint needs.
Keep a record of delivery IDs, event types, timestamps and processing status.
Use different endpoints and secrets for different environments.
Rotate webhook secrets when team members change or if a secret may be exposed.
Your system should not break when LemonX adds new event types.
Verify signature, timestamp, event type and required fields.
Webhook payloads should contain enough information to react. If your system needs full details, use the REST API to fetch the latest resource state.
Your system asks LemonX for data or triggers an action.
LemonX tells your system when something happens.
Summary: REST API is request-based. Webhooks are event-based. Most serious integrations should use both.
When AI agents operate WordPress through LemonX MCP, webhooks can make those actions visible to external systems.
Why it matters: AI actions should not disappear into the background. Webhooks make MCP workflows observable, auditable and easier to coordinate with human teams.
product.resource_action
content.draft_created content.updated aeo.analysis_completed verto.translation_completed mcp.preview_applied report.generated license.status_changed usage.quota_warning security.api_key_revoked
| Status | Meaning | Recommended Action |
|---|---|---|
| pending | Delivery has not been attempted yet | Wait |
| delivered | Endpoint returned 2xx | No action needed |
| retrying | Delivery failed and will retry | Check endpoint logs |
| failed | Delivery failed after all attempts | Resend manually or fix endpoint |
| disabled | Webhook endpoint was disabled | Review configuration |
| signature_failed | Receiver rejected signature | Check secret |
| timeout | Endpoint did not respond in time | Respond faster or queue work |
| invalid_url | Endpoint URL is invalid | Fix URL |
| rate_limited | Endpoint rejected too many requests | Reduce event volume |
Webhook payloads should include enough data to identify and process the event, but they should avoid sending unnecessary sensitive information.
Use webhooks to connect WordPress AI actions, SEO workflows, translation progress, MCP activity, reports and cloud events with your own tools and automation systems.
LemonX Webhooks turn AI, SEO, translation, MCP and cloud workflows into events your external systems can understand and act on.