Flow Studio
Webhook Capability Overview
Receiving inbound HTTP events as workflow triggers and making outbound HTTP calls from workflow nodes — the full webhook integration pattern.
What the Webhook Capability Provides
The Webhook capability enables two complementary integration patterns:
| Direction | Node | Purpose |
|---|---|---|
| Inbound | WebhookTriggerNode | Receives HTTP POST from external system → starts workflow |
| Outbound | WebhookCallNode | Sends HTTP request to external URL → captures response |
Inbound Webhook URL Pattern
POST https://api.bizfirstai.com/webhook/{tenantId}/{threadId}
Content-Type: application/json
X-Webhook-Signature: sha256={HMAC}
{
"event": "order.created",
"orderId": "ord-001",
"amount": 1250.00
}The entire payload becomes $json in the triggered workflow. All downstream nodes can access $json.event, $json.orderId, etc.
Outbound Call Pattern
Node Config:
{
"url": "https://partner.example.com/api/notify",
"method": "POST",
"headers": { "X-Api-Key": "$env.PARTNER_KEY" },
"body": {
"orderId": "$output.createOrder.orderId",
"status": "confirmed"
}
}
Node Output:
{
"statusCode": 200,
"body": { "accepted": true, "referenceId": "ref-xyz" },
"headers": { "Content-Type": "application/json" }
}Security Model
- Inbound: HMAC-SHA256 signature verification on every request — requests without a valid signature are rejected with 401
- Secret storage: Webhook secrets are stored via
ICredentialResolver— never in workflow config as plaintext - Outbound: API keys/tokens for outbound calls resolved via
ICredentialResolver - IP allowlist: Optional IP allowlist per webhook endpoint for additional defense
Prerequisite: Read Guide35_NodeCapabilitiesOverview for the capability framework before diving into this guide.