Overview
Deliver notifications to any HTTP endpoint
Webhooks allow you to send notifications to any external system via HTTP requests. Use webhooks to trigger automation workflows, sync with CRM systems, or integrate with any service that accepts HTTP callbacks.
Channel Configuration
The webhook channel only requires signing configuration. URL, method, headers, and body are configured per-step in the notiflow template editor.
| Field | Required | Description |
|---|---|---|
| Request Signing | No | Enable HMAC-SHA256 request signing |
| Signing Key | When signing is enabled | Secret key used to sign request payloads |
Setup in Notiflows
- Navigate to Channels in your project
- Click Create Channel
- Select Webhook as the channel type
- Optionally enable request signing and enter a signing key
- Save the channel
Step Template
Each webhook step in a notiflow defines the request details:
| Field | Required | Description |
|---|---|---|
| URL | Yes | The endpoint URL. Supports Liquid: {{ recipient.external_id }} |
| Method | Yes | HTTP method: GET, POST, PUT, PATCH, or DELETE |
| Headers | No | Custom headers as key-value pairs or JSON. Supports Liquid. |
| Body | No | Request body as key-value pairs or JSON. Supports Liquid. |
Request Format
When a webhook fires, Notiflows sends an HTTP request:
- Method: As configured in the step template
- Content-Type:
application/json(unless overridden in headers) - Body: The compiled step template body, or a default payload
Default Payload
If no body is configured, the request includes a default JSON payload:
{
"event": "notification.delivered",
"delivery_id": "01HQ...",
"notification_id": "01HQ...",
"recipient_id": "01HQ...",
"timestamp": "2026-03-19T12:00:00Z"
}Liquid Templating
All template fields (URL, headers, body) support Liquid variables:
{
"user_id": "{{ recipient.external_id }}",
"event": "order_shipped",
"data": {
"order_id": "{{ data.order_id }}",
"tracking_url": "{{ data.tracking_url }}"
}
}Available variable contexts:
recipient.*— Recipient user data (external_id, email, first_name, etc.)actor.*— User who triggered the notificationdata.*— Custom payload passed when triggering the notiflow
Request Signing
When signing is enabled on the channel, Notiflows includes an x-webhook-signature header on every request. This allows you to verify that requests are genuinely from Notiflows.
Signature Format
x-webhook-signature: t=1700000000,s=a1b2c3d4...t— Unix timestamp (seconds) when the signature was generateds— HMAC-SHA256 hex digest of{timestamp}.{request_body}using your signing key
Verifying Signatures
- Extract
t(timestamp) ands(signature) from thex-webhook-signatureheader - Reconstruct the signed payload:
{t}.{raw_request_body} - Compute HMAC-SHA256 using your signing key
- Compare your computed signature with
s(must match exactly) - Optionally reject requests where
tis more than 5 minutes old
Example (Node.js):
const crypto = require('crypto');
function verifyWebhook(signingKey, header, body) {
const [tPart, sPart] = header.split(',');
const timestamp = tPart.replace('t=', '');
const signature = sPart.replace('s=', '');
const expected = crypto
.createHmac('sha256', signingKey)
.update(`${timestamp}.${body}`)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}Use Cases
- Trigger automation workflows (Zapier, Make, n8n)
- Sync with CRM or helpdesk systems
- Send to custom internal microservices
- Integrate with third-party APIs
- Fan out to multiple downstream systems