Webhook Trigger
Receives inbound HTTP events from external systems and starts workflow execution. Use this for integrations with services like Stripe, GitHub, Clerk, or any system that sends webhook notifications.
Use Webhook Trigger when:
- An external service sends a POST (or other method) to notify you of an event
- You want to react to events asynchronously (no synchronous response required)
- The sender does not wait for your workflow to finish
If you need to return a response synchronously (the caller waits for your workflow), use API Endpoint instead.
| Handle | Type | Description |
|---|---|---|
payload | object | The full incoming request envelope |
The payload (accessed as {{ webhook.* }}) shape:
| Field | Type | Description |
|---|---|---|
body | any | Parsed request body (JSON, text, or form data) |
headers | object | All request headers |
query | object | URL query parameters |
method | string | HTTP method used |
path | string | Request path |
rawBody | string | Unparsed body string |
contentType | string | Value of the Content-Type header |
| Setting | Type | Default | Description |
|---|---|---|---|
path | string | /webhook | Route suffix for this endpoint. Example: /stripe/events |
method | select | POST | HTTP method accepted. Most providers send POST. |
verificationType | select | none | How to verify the sender: none, static-secret, or hmac-signature |
secret | secret | — | Signing key or static secret. Only shown when verificationType is not none. |
signatureHeaderName | string | X-Signature-256 | Header containing the signature sent by the provider. |
signatureAlgorithm | select | sha256 | HMAC algorithm: sha256 or sha512. |
timestampHeader | string | X-Webhook-Timestamp | Header with Unix-seconds timestamp for replay protection. |
signatureToleranceSeconds | number | 300 | Max age of a request in seconds. Set to 0 to disable. |
missingTimestamp | select | allow | Whether to accept requests without a timestamp header. |
responseMode | select | ack-immediately | ack-immediately returns 200 instantly. use-workflow-response holds the connection until a Return node fires. |
mockPayload | JSON | — | Test body injected during canvas testing. |
mockHeaders | JSON | — | Test headers injected during canvas testing. |
To receive GitHub push events with HMAC verification:
- Set
pathto/github/push - Set
verificationTypetohmac-signature - Set
signatureHeaderNametoX-Hub-Signature-256 - Set
signatureAlgorithmtosha256 - Set
secretto your GitHub webhook secret - In GitHub, point the webhook to your deployed URL with content type
application/json
Access the push event payload in downstream nodes:
{{ webhook.body.repository.full_name }}
{{ webhook.body.commits }}
{{ webhook.headers["x-github-event"] }}
- Stripe webhooks: Use
hmac-signature, setsignatureHeaderNametoStripe-Signature, and setsignatureAlgorithmtosha256. Stripe embeds the timestamp in the signature header — the built-in parser handles this automatically. - Response mode: Most webhook providers do not wait for a response. Set
responseModetoack-immediatelyunless you have a specific reason to hold the connection. - Path collisions: Each workflow has a unique base URL. The
pathsetting is only a suffix — you cannot create conflicting routes across workflows.
- API Endpoint — synchronous HTTP endpoint with response
- Deploying Workflows — how to get the webhook URL