What is an incoming webhook?
A webhook is an HTTP endpoint that an external system calls to notify FlowX when an event happens. Instead of FlowX polling for updates, the third-party system sends an HTTP POST the moment something occurs β and FlowX starts a process in response. Common uses include receiving events from payment processors, CRMs, ERPs, or CI/CD pipelines.Overview
Incoming Webhooks allow external systems to trigger FlowX processes by sending HTTP POST requests to a generated URL. Each webhook gets a unique, cryptographically secure API key for authentication β no IMAP setup, no polling, just a direct HTTP call. Use webhooks when you need to:- Receive events from third-party platforms (payment processors, CRMs, ERPs) that support outbound webhooks
- Trigger processes from CI/CD pipelines or internal tools via simple HTTP calls
- Replace polling-based integrations with event-driven process starts
API key authentication
JSON payload forwarding
Manage Triggers UI
Zero configuration
How it works
Create an Incoming Webhook data source
Connect to a Message Start Event
Commit and activate
Get the webhook URL
External system sends POST request
webhook-gateway service validates the API key, publishes the event to Kafka, and the process engine starts a new process instance.Creating a webhook data source
Navigate to Data Sources
Add a new data source
Configure basic information
Create

Connecting to a Message Catch Event
A webhook can drive two kinds of message catch events:On a Message Start Event
Open your process definition
Add a Message Start Event node
Configure the Process Trigger
- Set Trigger Type to Incoming Webhook
- In Select Webhook, choose your webhook data source from the dropdown
Save the node

On a Message Catch Intermediate Event
Use a webhook on an intermediate catch event to resume a process instance that is waiting for an external signal β for example, a callback from a third-party document scanner, a downstream system confirming an enqueued job, or a manual operator action delivered over HTTP.Add a Webhook Trigger intermediate catch event
Select the webhook data source
Set the Process Correlation Key
applicationId, orderId). At runtime this value is matched against the incoming payload to identify which waiting process instance to resume.Set the Process Key
Save the node
Webhook Correlation Key path syntax
The Webhook Correlation Key points into the incoming webhook payload. It uses dotted-path notation and supports array indices in square brackets, so deeply nested provider payloads can be addressed directly.field[N]) is supported in correlation keys, so the canonical Meta WhatsApp resume path works as-is. Paths like entry[0]... resolve directly and no longer need to be flattened in the producer before posting.Managing webhooks at runtime
Activating a webhook
For a webhook to appear in Manage Triggers:- The webhook data source must be created
- The webhook must be connected to a Message Start Event node
- The version must be committed
- Activate β Start accepting webhook requests
- Deactivate β Stop accepting requests. The API key and URL are preserved, so you can reactivate later without reconfiguring external systems.
- Get URL β View and copy the webhook URL with API key

Webhook URL and API key
When you activate a webhook and select Get URL, a modal displays:- Webhook URL β The full URL including the API key as a
flowxApiKeyquery parameter - Copy button β Copies the URL to clipboard
- Reset API Key β Generates a new API key (invalidates the previous URL)

Provider adapters
When a webhook is created in the Integration Designer, the Settings tab now exposes:- Provider β
GENERIC,SLACK, orMETA. Once saved, the provider becomes immutable; create a new webhook to switch. - Provider secret β the signing secret(s) obtained from the provider (for example, the Slack appβs signing secret, or the Meta verify token + app secret pair). Stored encrypted; can be rotated independently of the API key.
${configParam.name} placeholder syntax β placeholders are resolved at registration time the same way LLM provider secrets are.
Generic provider
The default. No signature validation is performed; authentication relies on the FlowXflowxApiKey and HTTPS. Use GENERIC for systems that do not sign their webhooks, or where signature validation is handled inside the process via a business-rule action on the raw headers.
Slack provider
Performs Slackβs standard signature check on every incoming request:401 Unauthorized.
Slackβs URL-verification handshake is handled automatically β a url_verification POST with a challenge field receives the challenge value back as JSON, before the request is forwarded to the process. No process configuration is required for the handshake.
Meta provider
Covers WhatsApp, Messenger, Instagram, and Threads. Meta-platform integrations share a common subscription model and signature scheme; theMETA adapter handles both.
Meta webhooks require two secrets, configured as masked inputs in the Settings panel:
WEBHOOK_META_SECRETS_REQUIRED 400.
GET URL verification. Meta sends a GET request with hub.mode=subscribe, hub.verify_token, and hub.challenge query parameters when you save the webhook in the Meta App configuration. The gateway:
- Confirms
hub.mode=subscribe. - Confirms
hub.challengeis present. - Compares the received
hub.verify_tokento the configured Verify token using a constant-time check. - Echoes the
hub.challengevalue back as plain text on success.
403 Forbidden β Meta does not finalise the subscription.
POST signature verification. Every POST is signed by Meta with an X-Hub-Signature-256 header (sha256=<hex>). The gateway recomputes the HMAC-SHA256 of the raw body with the configured App secret and rejects mismatches with 401 Unauthorized.
Path / provider mismatch
If a request hits the URL for one provider but the webhook registration is configured with a different provider, the gateway returns400 Bad Request. Always use the URL shown in the Get URL modal β it carries the correct provider segment for the registration.
Webhook payload
When an external system POSTs to the webhook URL, the following data is available in the process instance:
headers includes values added by the FlowX ingress in addition to what the caller sent β typically X-Forwarded-For, X-Real-IP, X-Request-ID, X-Forwarded-Host, X-Forwarded-Proto. These are useful for logging and tracing but should not be confused with provider-supplied headers.Authentication
Webhook authentication uses API keys:- Each webhook registration gets a unique 32-byte, base64-URL-encoded API key
- The key is passed as the
flowxApiKeyquery parameter in the webhook URL - Validation uses constant-time comparison to prevent timing attacks
- Invalid or missing keys return
401 Unauthorized - Inactive webhooks return
404 Not Found

