Skip to main content

Dependencies

Before setting up the Webhook Gateway, ensure you have the following dependencies in place:
  • PostgreSQL database for storing webhook registration data
  • Kafka for publishing process start events
  • Keycloak (or compatible OAuth2 provider) for authentication and authorization
  • SpiceDB for fine-grained authorization

Infrastructure prerequisites


Configuration

Authorization configuration

The Webhook Gateway validates incoming tokens with the JWT public key mechanism and authenticates to other FlowX services with a dedicated service account (the mainIdentity client registration) in the service-accounts realm:
Upgrading from 5.1.x? Remove the legacy opaque-token env vars: SECURITY_OAUTH2_REALM, SECURITY_OAUTH2_CLIENT_CLIENTID, SECURITY_OAUTH2_CLIENT_CLIENTSECRET, and SECURITY_OAUTH2_SERVICEACCOUNT_ADMIN_*. These belong to the removed introspection model and prevent the service from starting on 5.9.x. See the authentication and IAM migration guide for the full list.
The Webhook Gateway exposes /webhooks/** as public (unauthenticated) paths for receiving incoming webhooks. The /api/** paths require a valid JWT token.

PostgreSQL configuration

The Webhook Gateway uses its own dedicated PostgreSQL database for storing webhook registration data.
Ensure the webhook_gateway database is created before deploying the service. The Webhook Gateway will manage its own schema migrations via Liquibase.

Kafka configuration

The Webhook Gateway is a producer-only service β€” it publishes messages to Kafka but does not consume from any topics. It publishes to two topics: one for starting new processes and one for resuming waiting process instances.

Core Kafka settings

OAuth authentication (when using SASL_PLAINTEXT)

When using the kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.

Topic naming configuration

Kafka topics

The Webhook Gateway publishes to the following Kafka topics:

CAS lib configuration (SpiceDB)


Service communication

The Webhook Gateway communicates with the following FlowX services:

Logging configuration


Secrets management

The Webhook Gateway requires several secrets to be configured. These should be stored securely and referenced via Kubernetes secrets or a secrets management solution.

Deployment

Helm values example

Below is an example Helm values configuration for deploying the Webhook Gateway:
Unlike most FlowX services, the Webhook Gateway requires ingress to be enabled because it receives incoming HTTP requests from external systems on the /webhooks path.

Network policies

The Webhook Gateway requires network access to the following services:

Monitoring

The Webhook Gateway exposes Prometheus metrics for monitoring. Turn on scraping by setting the pod label:

Health endpoints


Verify your setup

The Webhook Gateway pod is running and healthy: kubectl get pods -l app=webhook-gateway
The health endpoint returns HTTP 200: curl http://webhook-gateway:8080/actuator/health
Database migrations completed successfully β€” check pod logs for Liquibase: Update has been successful
SpiceDB connection is established β€” check pod logs for successful CAS client initialization
The /webhooks ingress path is accessible from external systems

Ingress and CORS

The Webhook Gateway is exposed externally on the admin host. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. The path is preserved end-to-end (no rewrite), because the webhook endpoint URL is the same on the backend as on the client.

Service route

The path is set through services.webhook-gateway.ingress.admin.path (or services.webhook-gateway.gateway.admin.paths) in the chart values. No rewrite is applied β€” webhook URLs your upstream systems POST to must match the path exactly.

CORS configuration

Allowed methods, allowed headers, and credential handling are baked into the service’s application.yaml with safe defaults. Override these only if you have a non-standard requirement. For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.

Troubleshooting

Symptoms: Service fails to start with database connection errors.Solutions:
  1. Verify the webhook_gateway database exists in PostgreSQL
  2. Check that the database user has appropriate permissions
  3. Ensure network connectivity between the pod and PostgreSQL service
  4. Verify the JDBC URL format is correct
Symptoms: Authorization errors or service fails to initialize CAS client.Solutions:
  1. Verify SpiceDB is running and reachable at the configured host and port
  2. Check that the SpiceDB token is correct
  3. Ensure network policies allow gRPC traffic to SpiceDB on port 50051
  4. Review pod logs for specific CAS client error messages
Symptoms: Webhook events not triggering process starts.Solutions:
  1. Verify Kafka bootstrap servers are reachable
  2. Check that the ai.flowx.core.trigger.start-for-event.process.v1 topic exists
  3. Ensure the service has producer permissions on the topic
  4. Review pod logs for Kafka producer errors
Symptoms: External systems cannot reach the webhook URL.Solutions:
  1. Verify ingress is enabled and the /webhooks path is configured
  2. Check that network policies allow inbound traffic to the Webhook Gateway
  3. Ensure DNS resolves correctly for the webhook URL
  4. Verify the service is listening on port 8080
Symptoms: 401/403 errors when communicating with other FlowX services.Solutions:
  1. Verify the Keycloak service account is properly configured
  2. Check that client secrets match between configuration and Keycloak
  3. Ensure the service account has required roles assigned
  4. Verify SECURITY_TYPE is set to jwt-public-key

SpiceDB Configuration

Fine-grained authorization setup

Kafka Authentication

Configure Kafka security and authentication

IAM Configuration

Identity and access management setup
Last modified on June 11, 2026