Is it possible to access a Webhook's headers from Workflows?

When setting a webhook trigger, is there a way to access the headers sent with the request?

I don't see this information in, or startTrigger.metadata (which seems to always be null)

1 Like

Hey @brettski!

This is a request devs have on their radar, thanks for surfacing it here! Is there a particular use case you have for the headers that I can pass along?

Hello @Kabirdas,

Verifying a webhook signature using HMAC was what I was looking to do in this case.

A generic example of this is explained here: Hash-based Message Authentication Code (HMAC) - Docs

Really useful for validating webhooks from many services, e.g. Stripe, which use HMAC signing for validation. It can also be a great stop-gap between being able to add JS libraries to workflows. For Example the stripe SDK can validate the webhook for you, but you can also do it manually as it's an HMAC signature.

I guess one other thing which will be required to validate a webhook signature is access to the raw body of the request from the end point as you are validating what was sent is the same as what was recevied.

Got it, thanks for sharing (and teaching me something new :smile: )!

Will let you know here as soon as it's included.

+1 for this

Being able to access the response body for authenticating and endpoint with a service is a must-have.

Right now I'm trying to bypass my current Zapier integration between and Retool but I can't verify the webhook I've created in my Workflow.

"The URL you specified should be, of course, controlled by your app. Our platform checks this by sending a JSON challenge to your endpoint, and your app should respond back with the same challenge."

No matter what data I try to return from my Retool webhook the response is always this format meaning I can't validate the webhook with a 3rd party service. Any suggestions on working around this would be very welcome!

    "success": true,
    "workflow_run": {
        "id": "xxxx",
        "workflow_id": "xxxx",
        "created_at": "2023-02-07T15:54:03.608Z",
        "status": "PENDING"

Bumping this up - has header support been launched with Workflows yet?

Hey @auste_rich! Thanks for the bump, this should be live on Cloud!

Good news. How do you access the header data though? I was looking in the docs at, Configure workflow triggers, and don't see it. Nor could I figure it out in the editor. In addition, is there a way to access the raw body yet?

You should be able to find them under startTrigger.headers:

Do they not show up correctly for you there?


@brettski did you manage to implement HMAC? I don't think retool has a crypto implementation...

Hi @mawdo81, no I was not. The raw request body is required and I wasn’t able to access that. It’s been a while since I have looked at this though.

Crypto implementation isn’t required for HMAC, it can reliably be done with vanilla JS. See the link previously posted.

I too can't seem to get data from headers, or really much info from the start trigger besides I've got a slightly different verification need, but related nonetheless. Possibility of Capturing URL parameter

4 posts were split to a new topic: Validating Xero webhooks