Webhook & REST API

Webhook Triggers

Every workflow with a webhook trigger gets a unique URL. Send an HTTP request to trigger execution.

Trigger a Workflow (POST)

POST /api/webhooks/{webhookId}
Content-Type: application/json

{
  "customer_id": "cust_123",
  "event": "order.created",
  "data": {
    "amount": 99.99,
    "currency": "USD"
  }
}

Trigger a Workflow (GET)

GET /api/webhooks/{webhookId}?customer_id=cust_123&event=order.created

Response

{
  "status": "success",
  "message": "Webhook received and workflow triggered",
  "webhookId": "abc-123",
  "workflowId": "wf-456",
  "executionId": "exec-789",
  "executionStatus": "RUNNING"
}

For synchronous execution, add a Response node to your workflow. The webhook will wait up to 30 seconds and return the response body directly.

Signature Verification

Protect your webhooks with HMAC SHA-256 signature verification. Configure a secret in your webhook trigger settings.

# Flowmatic verifies the X-Webhook-Signature header:
# signature = HMAC-SHA256(secret, request_body)

curl -X POST https://your-instance.com/api/webhooks/{webhookId} \
  -H "Content-Type: application/json" \
  -H "X-Webhook-Signature: sha256=a1b2c3..." \
  -d '{"event": "test"}'

Webhook Context

Inside your workflow, the webhook trigger injects metadata into the execution context:

{
  "_webhook": {
    "webhookId": "abc-123",
    "triggerId": "trigger-456",
    "headers": {
      "content-type": "application/json",
      "user-agent": "MyApp/1.0"
    },
    "query": { "source": "api" },
    "receivedAt": "2026-02-08T12:00:00Z"
  },
  // ... your request body fields
}

Access any field using expressions: {{_webhook.headers.user-agent}}

Core API Endpoints

All API endpoints (except webhooks and auth) require a Bearer token in the Authorization header.