diff --git a/app/routes/web.php b/app/routes/web.php
index 755fbba9..147cd333 100644
--- a/app/routes/web.php
+++ b/app/routes/web.php
@@ -126,6 +126,13 @@ Route::get('/api/lead-statuses', 'App\Http\Controllers\Api\LeadStatusController@
 Route::post('/api/webhook/{token}', 'App\Http\Controllers\Api\WebhookReceiveController@receive')
     ->where('token', '[A-Za-z0-9\-_]+');
 
+// Supplier-integration webhook (Plan 2/5, spec §5.1).
+// Platform-wide endpoint: единый {secret} в URL для всех лидов от crm.bp-gr.ru.
+// Auth: secret (system_settings.supplier_webhook_secret) + IP allowlist
+// (system_settings.supplier_ip_allowlist). Не пересекается с legacy /api/webhook/{token}.
+Route::post('/api/webhook/supplier/{secret}', 'App\Http\Controllers\Api\SupplierWebhookController@receive')
+    ->where('secret', '[A-Za-z0-9_\-]+');
+
 // 2FA setup wizard — все эндпоинты под auth:sanctum (только для уже залогиненных).
 Route::prefix('/api/2fa')->middleware('auth:sanctum')->group(function () {
     Route::post('/init', 'App\Http\Controllers\Api\TwoFactorSetupController@init');