🇬🇧 EN

🔗 Webhook Trigger

The Webhook Trigger fires a workflow run each time an HTTP POST request is received at the workflow's unique webhook URL. It is the most common integration point between Flusso and external applications, enabling any system that can send HTTP requests to start a workflow and pass it data in real time.

Category: Triggers · Type identifier: webhook_trigger

Overview

Every workflow that uses a Webhook Trigger is assigned a permanent, unique URL. When an external service — such as a payment processor, a form builder, a CRM, or any custom application — sends an HTTP POST request to that URL, Flusso fires the workflow immediately. The full request body, request headers, and HTTP method are all captured and made available to subsequent steps as output variables.

The Webhook Trigger is unopinionated about the shape of the incoming data. Whether the sender sends a simple flat JSON object or a deeply nested payload, the entire body lands in {{ trigger.output.payload }} exactly as received. This makes the Webhook Trigger suitable for integrating with virtually any third-party service that supports outbound webhooks.

To protect your workflow from unauthorised callers, the Webhook Trigger supports two authentication modes: Header Secret (a shared secret token checked in a named header) and HMAC Signature (a cryptographic hash of the request body verified with a signing key). You should always configure one of these in production.

Your Webhook URL

The webhook URL for your workflow is shown at the top of the Webhook Trigger's configuration drawer. It follows this format:

https://your-flusso-instance.com/api/webhooks/{workflow-id}

Copy this URL and paste it into the webhook configuration of the external service you want to connect. The URL is permanent — it does not change even if you rename the workflow.

Configuration

Field	Required	Description
Auth Type	Required	How to authenticate incoming requests. Choose one of: None — no authentication. Any request to the URL will trigger the workflow. Not recommended for production. Header Secret — the sender must include a specific header with a secret value you define. HMAC Signature — the sender signs the request body with a shared secret using HMAC-SHA256; Flusso validates the signature.
Header Name	Conditional	Only shown when Auth Type is set to Header Secret. The name of the HTTP header the sender must include (for example, `X-Webhook-Token` or `Authorization`).
Secret	Conditional	The secret value (for Header Secret mode) or the HMAC signing key (for HMAC Signature mode). In Header Secret mode, Flusso rejects requests where the header value does not exactly match this string. In HMAC mode, Flusso computes the expected signature and rejects requests where the signatures do not match.

Output Data

The Webhook Trigger exposes three output variables to downstream steps:

Variable	Type	Description
`trigger.output.payload`	Object / Array	The full request body, parsed as JSON. If the sender sends form data, it is converted to an object.
`trigger.output.headers`	Object	All HTTP request headers as key-value pairs (header names are lowercased).
`trigger.output.method`	String	The HTTP method of the incoming request (always `POST` for standard webhook senders).

// Access fields inside the payload {{ trigger.output.payload.order_id }} {{ trigger.output.payload.customer.email }} // Access a specific request header {{ trigger.output.headers.content-type }} // Check the HTTP method {{ trigger.output.method }}

Example Usage

Receiving a form submission from an external website

Create the workflow and add a Webhook Trigger. Set Auth Type to Header Secret, enter X-Form-Token as the header name, and choose a long random string as the secret.
Copy the webhook URL from the trigger's configuration drawer.
Configure your form builder or website to POST to that URL on submission, including the header X-Form-Token: your-secret. The form fields will arrive in the payload.
In subsequent workflow steps, reference submitted fields such as {{ trigger.output.payload.name }} and {{ trigger.output.payload.email }}.

Tips & Notes

Always use authentication in production. A webhook URL with Auth Type set to None will execute your workflow for any request from anyone on the internet. Use Header Secret at minimum, or HMAC Signature for services that support it.

HMAC Signature mode is more secure than Header Secret because even if someone intercepts a request, they cannot replay it with modified data — the signature would no longer match. Use HMAC when the sending service supports it (Stripe, GitHub, and Shopify each have their own dedicated trigger nodes that handle signature validation automatically).
The workflow responds with HTTP 200 immediately upon receiving the request. Workflow execution is asynchronous — if you need to return a custom response to the caller, use the Webhook Response node in your workflow.
Payload size limit: Flusso accepts request bodies up to 10 MB. For larger payloads, consider passing a URL to the data rather than the data itself.
Testing: Use a tool like webhook.site or your browser's developer tools to inspect outgoing requests from your external service before connecting it to Flusso.

Related Nodes

Webhook Response — send a synchronous response back to the webhook caller.
Manual Trigger — fire the workflow on demand without an external request.
Stripe Trigger — webhook trigger with built-in Stripe signature validation.
GitHub Trigger — webhook trigger with built-in GitHub HMAC validation.
Shopify Trigger — webhook trigger with built-in Shopify HMAC validation.