Setting Up a Webhook Trigger

Configure a webhook trigger so external systems can start your workflow via HTTP.

Overview

A webhook trigger exposes your workflow as a unique HTTPS endpoint. When an external system (a SaaS app, your own backend, a no-code tool) sends an HTTP POST to that URL, Spojit starts the workflow and makes the request payload available to downstream nodes.

Webhook triggers are how Spojit consumes real-time events from other systems. You point a service's webhook configuration at the URL Spojit generates, pick a signature scheme so Spojit can verify the request is genuine, and decide whether to respond immediately or hold the connection open until the workflow finishes.

Before You Start

  • You need a webhook connection in the workspace. The connection determines how Spojit verifies incoming requests. Create one in Connections if you do not have it yet.
  • The external system must be able to call an HTTPS URL with a POST request.

Configuration

  1. Click the Trigger node on your canvas.
  2. Set the trigger type to Webhook.
  3. Pick a webhook connection. This selects the signature verification scheme.
  4. Copy the generated webhook URL and paste it into the external system's webhook configuration.
  5. Choose a response mode (immediate or wait for completion) and set a timeout if you choose wait.
  6. Save the workflow and make sure it is enabled.

Signature Verification Schemes

  • Spojit V1 - HMAC-SHA256 with a Stripe-style signature header. Default for new webhooks created in Spojit.
  • Shopify - Verifies the X-Shopify-Hmac-Sha256 header.
  • GitHub - Verifies the X-Hub-Signature-256 header.
  • Slack - Verifies Slack's signing secret with timestamp skew protection.
  • Custom - Configure your own signature header name, encoding, and algorithm.

Response Mode

  • Immediately - Spojit returns 200 OK the moment the request is accepted. The workflow runs in the background. Use this for fire-and-forget events.
  • Wait for completion - The HTTP connection stays open until the workflow finishes, then Spojit returns the result. Pair with a Response node to control the body, and set a timeout to avoid indefinite hangs.

Accessing the Payload

The request body is available downstream as {{ input }}. Address individual fields with dot notation:

  • {{ input.order_id }} - A top-level field.
  • {{ input.customer.email }} - A nested field.
  • {{ input.items[0].sku }} - The first element of an array.

Example: Shopify Order Webhook

Create a webhook trigger with the Shopify signature scheme, paste the generated URL into Shopify's Notifications -> Webhooks for the orders/create event, and reference {{ input.id }}, {{ input.total_price }}, and {{ input.email }} in downstream Connector nodes.

Tips

  • Use Wait for completion only when the caller actually needs the result. It ties up an HTTP connection for the duration of the workflow.
  • Add a Condition node early to filter out events you do not care about, rather than letting every webhook fire a full execution.
  • Test by replaying a real payload from the sending system, not a hand-crafted one. Real payloads catch shape assumptions you would otherwise miss.
  • Rotate the signing secret on the webhook connection if you suspect the URL has leaked.

Common Pitfalls

  • Signature mismatch - The external system must sign the exact request body Spojit receives. Modifying the body in transit (proxies, transformations) breaks verification.
  • Workflow disabled - A disabled workflow returns a non-2xx response. The sender may consider the webhook failed and retry or disable it.
  • Long-running workflows in wait mode - Most senders time out after 10-30 seconds. Use immediate mode plus a callback for anything longer.
  • Wrong connection - Picking the Shopify scheme for a non-Shopify sender silently rejects every request as unauthentic. Match the scheme to the sender.

Related Articles

Learn More

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.