Webhook Trigger

Receives inbound HTTP events from external systems and starts workflow execution. Supports automatic signature verification for popular providers (Stripe, GitHub, Shopify, Clerk, Slack) or custom HMAC/static-secret verification for any webhook source.

When to Use

Use Webhook Trigger when:

An external service sends HTTP notifications to your workflow (e.g. Stripe payment events, GitHub push events)
You want to react to events asynchronously (default) or return a synchronous response
You need built-in signature verification for a supported provider

If you need a programmable API with multiple HTTP methods and authentication, use API Endpoint instead.

Output

Handle	Type	Description
`payload`	object	The full incoming request envelope

The payload (accessed as {{ webhook.* }}) shape:

Field	Type	Description
`body`	any	Parsed request body (JSON, text, or form data)
`headers`	object	All request headers
`query`	object	URL query parameters
`method`	string	HTTP method used (GET, POST, etc.)
`path`	string	Request path
`rawBody`	string	Unparsed body string (needed for HMAC verification)
`contentType`	string	Value of the `Content-Type` header
`source`	string	Source identifier (e.g. `"webhook"`)
`auth`	object	Authentication result — `type` and `verified` status
`request`	object	Request metadata — `requestId` and `receivedAt` timestamp

Settings

Provider

Setting	Type	Default	Description
`provider`	select	`generic`	Select a provider for automatic signature verification. Options: `Generic / Custom`, `Stripe`, `GitHub`, `Shopify`, `Clerk (Svix)`, `Slack`.

When you select a named provider (Stripe, GitHub, etc.), signature verification is handled automatically — you only need to provide the signing secret as an environment variable. The verification type, header names, and algorithms are all pre-configured.

Endpoint

Setting	Type	Default	Description
`path`	string	`/webhook`	Route suffix for this endpoint. Example: `/stripe/events`
`method`	select	`POST`	HTTP method accepted: GET, POST, PUT, PATCH, DELETE. Most providers send POST.
`responseMode`	select	`ack-immediately`	`ack-immediately` returns 200 instantly. `use-workflow-response` holds the connection until a Return node fires.

Verification (Generic Provider Only)

These fields appear only when provider is set to Generic / Custom:

Setting	Type	Default	Description
`verificationType`	select	`none`	How to verify the sender: `none`, `static-secret` (header value match), or `hmac-signature` (cryptographic).
`signatureHeaderName`	string	`X-Signature-256`	Header containing the signature or secret sent by the provider. Shown when verification is `static-secret` or `hmac-signature`.
`signatureAlgorithm`	select	`sha256`	HMAC digest algorithm: `sha256` or `sha512`. Shown when verification is `hmac-signature`.
`timestampHeader`	string	`X-Webhook-Timestamp`	Header with Unix-seconds timestamp for replay protection. Shown when verification is `hmac-signature`.
`signatureToleranceSeconds`	number	`300`	Max age of a request in seconds before it is rejected as a replay.
`missingTimestamp`	select	`allow`	Whether to accept or reject requests missing the timestamp header.

Testing

Setting	Type	Default	Description
`mockPayload`	code editor	`{}`	JSON body to inject when running this workflow locally for testing.
`mockHeaders`	code editor	`{}`	JSON headers to inject when running this workflow locally for testing.

Required Secrets

The WEBHOOK_SECRET environment variable is required when using a named provider (Stripe, GitHub, Shopify, Clerk, Slack) or when using the Generic provider with static-secret or hmac-signature verification.

Configure it in your workspace's Environment Variables settings.

| Variable | When Required | Description | |----------|---------------|-------------| | WEBHOOK_SECRET | Named providers; Generic with verification enabled | The signing secret provided by the webhook source |

Example

Canvas

Stripe payment processing with automatic verification:

Set provider to Stripe
Set path to /stripe/events
Add WEBHOOK_SECRET env var with your Stripe signing secret (whsec_...)
In the Stripe Dashboard, point the webhook to your deployed URL

Access the event in downstream nodes:

{{ webhook.body.type }}
{{ webhook.body.data.object.amount }}
{{ webhook.body.data.object.customer }}

GitHub push events with automatic verification:

Set provider to GitHub
Set path to /github/push
Add WEBHOOK_SECRET env var with your GitHub webhook secret
In GitHub, set the webhook URL and content type to application/json

{{ webhook.body.repository.full_name }}
{{ webhook.body.commits }}
{{ webhook.headers["x-github-event"] }}

TSL

import webhook from @tensorify/webhook-trigger:4.0.0
import http_request from @tensorify/http-request:3.0.0

node trigger @tensorify/webhook-trigger:4.0.0 {
    provider = "stripe"
    path = "/stripe/events"
    method = "POST"
    responseMode = "ack-immediately"
}

node process @tensorify/http-request:3.0.0 {
    method = "POST"
    url = "https://api.example.com/process-payment"
}

trigger.payload -> process.body

Common Gotchas

Provider vs Generic: When you select a named provider (Stripe, GitHub, etc.), the verification settings are handled automatically. You only need to provide the WEBHOOK_SECRET env var. Switch to Generic only for unsupported webhook sources.
Response mode: Most webhook providers do not wait for a response. Keep responseMode set to ack-immediately unless you need to return a computed value (use use-workflow-response with a Return node).
Path collisions: Each workflow has a unique base URL. The path setting is only a suffix — you cannot create conflicting routes across workflows.
rawBody for HMAC: Signature verification uses the raw request body. If you modify or re-parse the body before verification, the signature check will fail.
Replay protection: With HMAC verification, requests older than signatureToleranceSeconds (default 5 minutes) are rejected. Set missingTimestamp to reject for stricter security.