Custom Webhook Trigger

Receive webhooks with a custom signature verification scheme.

Overview

The Custom Webhook Trigger lets a workflow run whenever an external service POSTs an HTTP request to a Spojit-generated URL. It is designed for services that do not have a built-in connector but sign their payloads with HMAC, a shared secret, or another header-based scheme.

You typically use this trigger to ingest events from internal systems, legacy applications, or third-party SaaS tools that do not match one of the named webhook triggers. The verified payload becomes the starting input for the workflow, which can then transform it, fan out to multiple destinations, or call other connectors.

What You Can Do

The Custom Webhook Trigger receives signed HTTP requests and exposes their contents to the workflow body:

• signature-header - the request header that carries the signature (for example X-Signature or X-Hub-Signature-256).
• algorithm - the HMAC algorithm used to sign the payload (sha256, sha1, or sha512).
• encoding - how the signature is encoded (hex or base64).
• secret - the shared secret Spojit uses to recompute and compare the signature.
• body - the raw JSON payload exposed to the workflow once the signature is verified.
• headers - the full set of request headers available for routing or filtering.

Authentication

The Custom Webhook Trigger does not call an external API, so it has no OAuth or API key. Authentication is one-directional: Spojit generates a unique webhook URL when you create the connection, and verifies inbound requests against the signature scheme you configure. Choose the header name, algorithm, and encoding to match what the calling service sends.

Setting Up Your Connection

1. Go to Connections from the sidebar.
2. Click + Add Connection.
3. Search for Custom Webhook Trigger and select it.
4. Enter the signature-header, algorithm, encoding, and secret that the sending service will use.
5. Spojit generates a webhook URL. Copy it.
6. Give your connection a name (for example "Internal Billing Webhook") and click Save.
7. In the external service, paste the generated URL as the webhook endpoint and configure it to sign payloads with the same secret and algorithm.

Using the Trigger

Workflows that use this connection start on a webhook trigger node bound to the connection. When a verified request arrives, the trigger fires and the rest of the workflow runs against the request body and headers. Use variable references like {{trigger.body}} and {{trigger.headers}} in downstream nodes to act on the incoming payload.

Tips

• Use a long, random secret. Rotate it on a schedule and update both Spojit and the sending service together.
• If the sender supports both raw body signing and JSON-stringified signing, prefer raw body signing to avoid whitespace mismatches.
• Keep the connection name descriptive so you can tell multiple webhook sources apart in execution logs.
• Test the signature scheme by sending a known payload from the source and confirming the workflow runs before pointing production traffic at the URL.

Common Pitfalls

• Algorithm or encoding mismatches (for example sha256 hex vs sha256 base64) cause every request to be rejected as unsigned.
• Some services prefix the signature with a scheme name like sha256=; if signatures keep failing, check whether the prefix is included in the header value.
• Trailing whitespace or content-type rewriting by a proxy in front of the sender can change the bytes Spojit hashes. Send directly when possible.
• The webhook URL is sensitive; treat it like a credential and do not commit it to public repos.

Common Use Cases

• How to Build a Webhook-Triggered Order Processing Workflow
• How to Connect to Any REST API Using HTTP Requests
• How to Parse and Transform XML Data from Legacy Systems

Related Articles

• Setting Up a Webhook Trigger
• Setting Up a Webhook Connection
• Spojit Webhook Trigger
• GitHub Webhook Trigger
• Shopify Webhook Trigger

For technical API details and field specifications, see the Custom Webhook Trigger trigger documentation.