Webhook triggers give your workflow a private URL. Any outside system that can send an HTTP POST - your own backend, Zapier, a no-code tool, a form builder - can hit that URL and start your workflow with the posted data as inputs.
When to pick a webhook
If the app you want to listen to is already in our integrations list, an app trigger is easier. Webhooks are best for custom systems and any tool that lets you configure where to send events.Creating a Webhook Trigger
Open your workflow
Pick the workflow you want the webhook to start.
Click Add trigger → Webhook
In the triggers panel, click Add trigger and pick Webhook.
Name it
Give the webhook a name that reminds you where events will come from - for example, "Typeform contact form" or "Stripe checkout".
Copy the URL and signing secret
ORCFLO generates both automatically. Paste them into the outside system that will be sending events.
Send a test event, map inputs, save
Turn on Test mode, send a real event from the outside system, then pick which payload fields become workflow inputs.
Webhook URL and Signing Secret
Every webhook trigger has two pieces of configuration: a URL and a signing secret.
| Piece | What it is |
|---|---|
| URL | Where the outside system sends its events. Every webhook is hosted on hooks.orcflo.com and the URL itself is unique per trigger. |
| Signing secret | A shared password the outside system uses to prove each request really came from it. Keeps strangers on the internet from triggering your workflow. |
Keep the signing secret private
Treat the signing secret like a password. If it ever leaks, click Rotate secretin the webhook's settings - ORCFLO generates a new one and the old one stops working immediately.Setting up the outside system
Most webhook-sending tools ask for the same two things. Paste the URL into the endpoint field, and the signing secret into the "secret" or "signing key" field.
If your system doesn't support signed webhooks, you can still use the URL on its own - but anyone who guesses it could trigger your workflow. Signed is safer.
Test Mode
Test mode is how you see the exact shape of the data your webhook will receive. Turn it on, send one real event from the outside system, and the payload appears in the setup screen.
Turn on Test mode
The webhook will record the next incoming event without running your workflow.
Send a real event
Submit the form, complete the checkout, push the button - whatever the outside system needs to send its event.
Pick and name your inputs
The payload appears as a browsable tree. Tick the fields you want, rename them if useful, and save.
Turn off Test mode
The next incoming event will start your workflow for real.
Mapping Payload Fields to Inputs
The payload tree shows every field that came in, including nested ones. Tick what you want, and each becomes a variable your workflow can reference.
If the payload has a field called customer.email, you'll see it nested inside customer. Tick it, rename the variable to email, and use it anywhere as ${inputs.email}.
Short names, every time
email is easier to reference in prompts than customer_email_address.Delivery Log
Every time something POSTs to your webhook URL, ORCFLO records it in the delivery log - whether your workflow ran or not. Expand a row to see why an event was accepted, skipped, or rejected.
| Status | Meaning |
|---|---|
| Accepted | Signature verified and workflow started. |
| Received (test) | Test-mode capture - payload stored, workflow not started. |
| Rejected | Signature didn't match - the event didn't come from the right source, or the signing secret is out of date. |
| Skipped | Duplicate of an event already processed, or the trigger is paused. |
Managing Webhooks
Each webhook lives in the triggers panel of its workflow. From there you can:
- Rename the webhook
- Copy the URL or signing secret
- Rotate the signing secret (the old one stops working immediately)
- Pause the webhook (events are rejected while paused)
- Delete the webhook
Rotating the secret
When you rotate the signing secret, the outside system will start getting rejected until you paste the new secret into it. Do the rotation during a quiet period, or pause the webhook first.Availability
Webhook triggers are available on the Power plan and above. See Pricing Tiers for details on how many webhooks each plan includes.
Looking to trigger from Gmail, Drive, Sheets, or another supported app? Use an app trigger instead.
App Triggers