HookFlow

Webhook Sources

Webhook sources are the entry points for webhooks in HookFlow. This guide explains how to create, configure, and manage your webhook sources.

Creating a Webhook Source

To create a new webhook source:

  1. From your dashboard, click "Create New Source" or navigate to Sources and click "Add Source".
  2. Fill in the basic information:
    • Name: A descriptive name for your webhook source
    • Provider Template: (Optional) Select a pre-configured template for common services
    • Description: (Optional) Add details about this source
  3. Configure security settings:
    • Secret Key: The secret used to verify webhook signatures
    • Signature Header: The HTTP header containing the signature
    • Signature Algorithm: The algorithm used for signature verification
  4. Configure at least one destination (see Destinations for details).
  5. Click "Create Source" to save your configuration.

Provider Templates

Using a provider template automatically configures the signature verification settings for common services like Stripe, GitHub, and Shopify. We recommend using templates when available for easier setup.

Using Your Webhook URL

After creating a source, you'll receive a unique webhook URL in the format:

https://hookflow.com/hook/[userId]/[hookId]

Copy this URL and configure it in your webhook provider's settings. The exact steps vary by provider:

Stripe

  1. Go to the Stripe Dashboard
  2. Navigate to Developers → Webhooks
  3. Click "Add endpoint"
  4. Paste your HookFlow URL
  5. Select the events you want to receive
  6. Copy the "Signing secret" and add it to your HookFlow source configuration

GitHub

  1. Go to your GitHub repository
  2. Navigate to Settings → Webhooks
  3. Click "Add webhook"
  4. Paste your HookFlow URL in the "Payload URL" field
  5. Set Content type to "application/json"
  6. Create a secret and add it to your HookFlow source configuration
  7. Choose which events you want to trigger the webhook

Shopify

  1. Go to your Shopify admin
  2. Navigate to Settings → Notifications → Webhooks
  3. Click "Create webhook"
  4. Select an event from the dropdown
  5. Paste your HookFlow URL in the "URL" field
  6. Select the webhook version
  7. Click "Save webhook"

Managing Webhook Sources

Viewing Sources

To view all your webhook sources:

  1. Navigate to the Sources page from your dashboard
  2. You'll see a list of all sources for your current project
  3. Click on any source to view its details

Editing a Source

To edit an existing webhook source:

  1. Navigate to the Sources page
  2. Click on the source you want to edit
  3. Make your changes to the configuration
  4. Click "Save Changes"

Note: Editing a source's security settings (secret key, signature header, etc.) may require updating the corresponding settings in your webhook provider.

Disabling a Source

To temporarily disable a webhook source without deleting it:

  1. Navigate to the Sources page
  2. Find the source you want to disable
  3. Toggle the Active switch to off

When a source is disabled, HookFlow will still receive webhooks but won't process or forward them.

Deleting a Source

To permanently delete a webhook source:

  1. Navigate to the Sources page
  2. Click on the source you want to delete
  3. Scroll to the bottom and click "Delete Source"
  4. Confirm the deletion

Warning: Deleting a source is permanent and cannot be undone. All associated webhooks and logs will also be deleted.

Webhook Security

Securing your webhooks is essential to prevent unauthorized access and ensure data integrity. HookFlow provides several security features:

Signature Verification

Signature verification ensures that webhooks are actually sent by your provider and haven't been tampered with. When configured, HookFlow will:

  1. Extract the signature from the specified HTTP header
  2. Compute a signature using your secret key and the webhook payload
  3. Compare the computed signature with the received signature
  4. Reject the webhook if signatures don't match

Supported Signature Algorithms

  • HMAC-SHA256: Used by most providers including Stripe and GitHub
  • HMAC-SHA1: Used by some older APIs
  • RSA-SHA256: Public/private key based verification

IP Allowlisting

For additional security, you can restrict which IP addresses can send webhooks to your source:

  1. Navigate to your source's settings
  2. Scroll to the "IP Allowlist" section
  3. Add the IP addresses or CIDR ranges that should be allowed
  4. Save your changes

Webhooks from IP addresses not on your allowlist will be rejected.

Next Steps

Now that you understand how to create and manage webhook sources, learn about: