Setting Up a Webhook Connection

Set up inbound webhook connections to receive data from external systems.

Overview

A webhook connection gives you a stable inbound URL that an external system can POST to. When a request arrives at that URL, Spojit verifies it, parses the payload, and uses it as the trigger payload for any workflow whose Webhook trigger points at the connection.

Webhook connections are the inbound counterpart to outbound connectors. You create one webhook connection per external producer (Shopify, Stripe, a vendor system) and then point one or more workflows at it via a Webhook trigger. This keeps signing secrets, URL rotation, and verification logic in one place rather than scattered across every workflow.

Before You Start

  • Admin access on the external system so you can paste the webhook URL into its settings.
  • If the external system supports signed webhooks, the algorithm it uses (e.g. HMAC-SHA256) and where it places the signature header.

Steps

  1. Go to Connections and click + Add Connection.
  2. Select a webhook connector. Use a vendor-specific one (e.g. Shopify Webhook, Stripe Webhook) when available so signature verification is preconfigured, or the generic Spojit Webhook for any other source.
  3. Configure signature verification. For vendor connectors this is preset; for the generic webhook you choose the algorithm and signature header.
  4. Click Save. Spojit generates a unique inbound URL and a signing secret.
  5. Copy the URL and paste it into the external system's webhook settings. Copy the signing secret into the same place if the system requires one.
  6. Trigger a test event from the external system. Confirm it arrived and was verified by checking the execution log of any workflow with a Webhook trigger pointing at this connection.

Webhook Connection Settings

  • URL - The stable inbound endpoint Spojit generated. Treat it as semi-secret; rotation requires repointing the producer.
  • Signing secret - Used to verify the X-Signature header (or vendor equivalent). Rotate from the connection page and update the producer in lock step.
  • Signature algorithm - HMAC variant used to compute the signature.
  • Allowed event types - Optional filter for vendor connectors that send many event types over one URL.

Tips

  • Use one webhook connection per producer, not per workflow. Multiple workflows can listen to the same connection via Webhook triggers.
  • Send a test event from the producer immediately after setup so you can confirm verification works before wiring it to a real workflow.
  • Keep the signing secret enabled even in development. Catching a verification failure early is easier than debugging a malformed payload later.

Common Pitfalls

  • Signature mismatch - Producers sometimes sign the raw body before any whitespace normalisation. If verification fails, double-check the algorithm and the exact header name.
  • Rotating the secret without updating the producer - The connection will reject every subsequent delivery. Rotate, then immediately update the producer.
  • Reusing the same connection across environments - A staging producer hitting the production webhook URL can fire real workflows. Create a separate connection per environment.
  • Forgetting to enable the workflow - The connection can receive events even when no workflow consumes them; deliveries land in the log but trigger nothing.

Related Articles

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.