Webhooks API

Retrieve webhook URLs and test webhook-triggered flows programmatically.

Get Webhook URL

Retrieve the webhook URL for a webhook-triggered flow.

GET /api/v1/flows/{flowId}/webhook

Response:

{
  "flowId": "flow_abc123",
  "webhookUrl": "https://engine.onflowstack.com/api/v1/webhooks/flow_abc123",
  "method": "POST",
  "enabled": true
}

Send Test Webhook

Trigger a flow by sending data to its webhook URL.

curl -X POST "https://engine.onflowstack.com/api/v1/webhooks/flow_abc123" \
  -H "Content-Type: application/json" \
  -d '{
    "event": "order.created",
    "data": {
      "orderId": "ORD-12345",
      "amount": 99.99,
      "customer": {
        "name": "Jane Doe",
        "email": "jane@example.com"
      }
    }
  }'

Response: 200 OK

{
  "runId": "run_xyz789",
  "status": "RUNNING"
}

Webhook Security

Verify Webhook Signatures

If the sending service signs payloads, verify the signature:

import crypto from 'crypto';

function verifySignature(payload: string, signature: string, secret: string): boolean {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

IP Allowlisting

On Enterprise plans, you can restrict webhook access to specific IP ranges:

POST /api/v1/flows/{flowId}/webhook/security

{
  "allowedIPs": [
    "203.0.113.0/24",
    "198.51.100.42"
  ]
}

Get Webhook URL​

Send Test Webhook​

Webhook Security​

Verify Webhook Signatures​

IP Allowlisting​

Get Webhook URL

Send Test Webhook

Webhook Security

Verify Webhook Signatures

IP Allowlisting