Webhook Triggers

Start a workflow when an outside system sends an HTTP POST to your ORCFLO webhook URL.

Updated Apr 2026

Webhook triggers give your workflow a private URL. Any outside system that can send an HTTP POST - your own backend, Zapier, a no-code tool, a form builder - can hit that URL and start your workflow with the posted data as inputs.

When to pick a webhook

If the app you want to listen to is already in our integrations list, an app trigger is easier. Webhooks are best for custom systems and any tool that lets you configure where to send events.

Creating a Webhook Trigger

1

Open your workflow

Pick the workflow you want the webhook to start.

2

Click Add trigger → Webhook

In the triggers panel, click Add trigger and pick Webhook.

3

Name it

Give the webhook a name that reminds you where events will come from - for example, "Typeform contact form" or "Stripe checkout".

4

Copy the URL and signing secret

ORCFLO generates both automatically. Paste them into the outside system that will be sending events.

5

Send a test event, map inputs, save

Turn on Test mode, send a real event from the outside system, then pick which payload fields become workflow inputs.

Webhook URL and Signing Secret

Every webhook trigger has two pieces of configuration: a URL and a signing secret.

PieceWhat it is
URLWhere the outside system sends its events. Every webhook is hosted on hooks.orcflo.com and the URL itself is unique per trigger.
Signing secretA shared password the outside system uses to prove each request really came from it. Keeps strangers on the internet from triggering your workflow.

Keep the signing secret private

Treat the signing secret like a password. If it ever leaks, click Rotate secretin the webhook's settings - ORCFLO generates a new one and the old one stops working immediately.

Setting up the outside system

Most webhook-sending tools ask for the same two things. Paste the URL into the endpoint field, and the signing secret into the "secret" or "signing key" field.

If your system doesn't support signed webhooks, you can still use the URL on its own - but anyone who guesses it could trigger your workflow. Signed is safer.

If you are connecting a provider like Stripe, GitHub, or Shopify that issues its own signing secret, skip to Using a Secret From Your Provider below.

Using a Secret From Your Provider

Not every webhook works the same direction. There are two ways a signing secret can flow:

OptionWho makes the secret?What you do
StandardORCFLO generates it for you.Copy the secret from ORCFLO and paste it into the outside system.
I'll paste my ownYour provider (Stripe, GitHub, etc.) generates it.Copy the secret from the provider and paste it into ORCFLO. ORCFLO uses it to verify that incoming events are genuinely from that provider.

Worked example: connecting Stripe

Stripe signs every event it sends with its own secret. Here's how to wire it up so ORCFLO can verify those signatures.

1

Create a webhook endpoint in Stripe

In the Stripe Dashboard, go to Developers → Webhooks and click Add endpoint. Paste your ORCFLO webhook URL into the Endpoint URL field.

2

Subscribe to the events you need

Pick the events Stripe should send. For example, tick customer.subscription.created if you want your workflow to run whenever a new subscription starts.

3

Copy Stripe's Signing secret

On the endpoint detail page, click Reveal next to Signing secret. The value starts with whsec_. Copy it.

4

Choose Stripe in ORCFLO and paste the secret

In your ORCFLO webhook settings, set Sending app to Stripe, then select I'll paste my own and paste the whsec_ value you copied from Stripe.

5

Save — you're done

ORCFLO will now verify the signature on every incoming Stripe event. Events that don't match are rejected and logged.

Works with other providers too

The same flow works for any provider that gives you its own signing secret — GitHub, Shopify, Slack, and Linear all do this. When you select one of those apps as the Sending app, you'll see the I'll paste my own option appear. Choosing Standard keeps using an ORCFLO-generated key (described in the previous section) and is the right choice for custom backends and no-code tools that let you set your own secret.

Test Mode

Test mode is how you see the exact shape of the data your webhook will receive. Turn it on, send one real event from the outside system, and the payload appears in the setup screen.

1

Turn on Test mode

The webhook will record the next incoming event without running your workflow.

2

Send a real event

Submit the form, complete the checkout, push the button - whatever the outside system needs to send its event.

3

Pick and name your inputs

The payload appears as a browsable tree. Tick the fields you want, rename them if useful, and save.

4

Turn off Test mode

The next incoming event will start your workflow for real.

Mapping Payload Fields to Inputs

The payload tree shows every field that came in, including nested ones. Tick what you want, and each becomes a variable your workflow can reference.

If the payload has a field called customer.email, you'll see it nested inside customer. Tick it, rename the variable to email, and use it anywhere as ${inputs.email}.

Short names, every time

email is easier to reference in prompts than customer_email_address.

Delivery Log

Every time something POSTs to your webhook URL, ORCFLO records it in the delivery log - whether your workflow ran or not. Expand a row to see why an event was accepted, skipped, or rejected.

StatusMeaning
AcceptedSignature verified and workflow started.
Received (test)Test-mode capture - payload stored, workflow not started.
RejectedSignature didn't match - the event didn't come from the right source, or the signing secret is out of date.
SkippedDuplicate of an event already processed, or the trigger is paused.

Managing Webhooks

Each webhook lives in the triggers panel of its workflow. From there you can:

  • Rename the webhook
  • Copy the URL or signing secret
  • Rotate the signing secret (the old one stops working immediately)
  • Pause the webhook (events are rejected while paused)
  • Delete the webhook

Rotating the secret

When you rotate the signing secret, the outside system will start getting rejected until you paste the new secret into it. Do the rotation during a quiet period, or pause the webhook first.

Availability

Webhook triggers are available on the Power plan and above. See Pricing Tiers for details on how many webhooks each plan includes.

Looking to trigger from Gmail, Drive, Sheets, or another supported app? Use an app trigger instead.

App Triggers