Working with webhooks

Webhooks are a powerful way to integrate your applications and services with Webflow, allowing you to receive real-time updates whenever specific events occur on your site. By setting up webhooks, you can automate workflows, trigger external processes, and synchronize data across different platforms without any manual intervention.


Get started with webhooks

Ready to streamline your workflow? Follow the steps below to create your first webhook using the Webflow API.


Webhook requests

When an event occurs, Webflow will send a POST request to a specified URL.

The webhook body will be a JSON resource object that relates to the event. The request headers will include:

  • A Content-Type header set to application/json
  • A x-webflow-timestamp with the time the webhook was sent
  • A x-webflow-signature header containing the request signature. Read on for information about validating request signatures.

Below is an example of webhook event data.

Payload
1 {
2 "triggerType": "form_submission",
3 "payload": {
4 "name": "Contact Us",
5 "siteId": "65427cf400e02b306eaa049c",
6 "data": {
7 "First Name": "Zaphod",
8 "Last Name": "Beeblebrox",
9 "email": "zaphod@heartofgold.ai",
10 "Phone Number": 15550000000
11 },
12 "schema": [
13 {
14 "fieldName": "First Name",
15 "fieldType": "FormTextInput",
16 "fieldElementId": "285042f7-d554-dc7f-102c-aa10d6a2d2c4"
17 },
18 {
19 "fieldName": "Last Name",
20 "fieldType": "FormTextInput",
21 "fieldElementId": "285042f7-d554-dc7f-102c-aa10d6a2d2c5"
22 },
23 {
24 "fieldName": "email",
25 "fieldType": "FormTextInput",
26 "fieldElementId": "285042f7-d554-dc7f-102c-aa10d6a2d2c6"
27 },
28 {
29 "fieldName": "Phone Number",
30 "fieldType": "FormTextInput",
31 "fieldElementId": "285042f7-d554-dc7f-102c-aa10d6a2d2c7"
32 }
33 ],
34 "submittedAt": "2022-09-14T12:35:16.117Z",
35 "id": "6321ca84df3949bfc6752327",
36 "formId": "65429eadebe8a9f3a30f62d0",
37 "formElementId": "4e038d2c-6a1e-4953-7be9-a59a2b453177"
38 }
39 }

Creating a webhook

In this tutorial, we’ll walk through creating a webhook to listen for new submissions to a contact form on a site. Whenever someone submits this form, Webflow will send a notification to the specified destination. Additionally, we’ll cover how to verify that the webhook requests you’re receiving are genuinely from Webflow, ensuring secure and reliable communication with your application.

Looking for a simpler setup?

If you’d prefer a way to set up webhooks without using the API, you can easily configure them through the Webflow dashboard. Please note, that webhooks created through the dashboard will not include the request headers needed to validate request signatures.

Prerequisites

  • A site token or bearer token from a Webflow Data Client App with the forms:read scope.
  • A Webflow test site. You can use the Biznus template to quickly set up a site equipped with a contact form.
  • A service to accept an HTTPS request. While we’ll be using https://webhook.site in this tutorial, you’re free to choose any platform.

Before we get started working with the API, we’ll first need to create a form and publish our site. If you already have a working form on your site, you can skip this step. To create a site with a form, we’ll use the Biznus template, which already has a form on its contact page.

  1. Clone the Biznus template to your development Workspace.

  2. Go to the Contact Page to view your form. Here, you can review your form’s fields. Ensure each field has a unique name. These field names will be used as keys in the webhook’s payload. Form Fields

  3. Publish the site by clicking the publish button in the top right corner.

Webhooks require the following elements to function:

  • Site ID: The unique identifier of your Webflow site.
  • Trigger Type: Specific event the webhook will monitor.
  • Destination URL: Unique URL prepped to accept HTTP requests.

Once we have these elements, we can create the webhook by sending a POST request to the Create Webhook endpoint.

  1. Get the Site ID. There are two ways to get your Site ID, you can access the ID via site settings, or send a request to the List Sites endpoint.

    1. In the designer, click the Webflow Icon in the top left corner, and select “Site Settings” from the menu.

    2. In your site settings, scroll down to the “Overview” section to find your Site ID Site ID location in settings

  2. Get your destination URL. Navigate to webhook.site and copy your unique URL. This URL will be used as the destination where Webflow will send webhook events. Screenshot showing webhook.site interface with unique URL

  3. Send a POST request to the Create Webhook endpoint. In the request, you’ll include the site_id, url, and triggerType of form_submission.

    1curl -X POST "https://api.webflow.com/sites/YOUR_SITE_ID/webhooks" \
    2 -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
    3 -H "Content-Type: application/json" \
    4 -d '{
    5 "triggerType": "form_submission",
    6 "url": "https://your-webhook-url.com"
    7 }'

    Additionally, the form_submission trigger supports a filter parameter, allowing you to specify the name of the form you’d like to receive notifications for. This is particularly helpful if you have multiple forms on a site.

    Use our interactive API Docs to send requests

    You can also use the interactive API Reference to quickly send a POST request to the Create Webhook endpoint without writing any code.

  4. Review the response. After successfully establishing your webhook, you should receive a confirmation similar to the one shown below:

    Successful response
    1{
    2 "id": "582266e0cd48de0f0e3c6d8b",
    3 "triggerType": "form_submission",
    4 "siteId": "562ac0395358780a1f5e6fbd",
    5 "workspaceId": "4f4e46fd476ea8c507000001",
    6 "createdOn": "2022-11-08T23:59:28.572Z",
    7 "lastTriggered": "2023-02-08T23:59:28.572Z",
    8 "filter": null,
    9 "url": "https://webhook.site/7f7f7f7f-7f7f-7f7f-7f7f-7f7f7f7f7f7f",
    10 "secretKey": "2b4acfd1c5518bf03c73a4889d197d77251353857c22694bf150b9e3402ba15f"
    11 // 👆 The secret key is only present if using a Site API key created from the Site Dashboard
    12}

Once you’ve successfully created the Webhook to listen for new form submissions, you can test it by navigating to the form on your site and submitting a response.

Once you’ve submitted a response, head over to webhook.site to view the POST request from Webflow. If the request is successful, you’ll see the Request Details, Headers, and Payload sections. These details should match the JSON object shown below.

JSON
1Content-Type: application/json
2x-webflow-timestamp: 1722370035277
3x-webflow-signature: cb6162d8daf6573c658805a5f431adab25f56faf6c601935067d3957a161dfeb
4{
5 "triggerType": "form_submission",
6 "payload": {
7 "name": "Email Form",
8 "siteId": "65427cf400e02b306eaa049c",
9 "data": {
10 "Email 2": "hello@gmail.com"
11 },
12 "submittedAt": "2024-07-30T20:07:15.220Z",
13 "id": "66a947f35b9d7ba400e22733",
14 "formId": "65429eadebe8a9f3a30f62d7"
15 }
16}

Notice the headers included in the response: x-webflow-timestamp and x-webflow-signature. These headers are crucial for verifying the authenticity of the webhook.

Webhook retries

Your service should return a 200 response to show that the webhook was successfully captured. If the response status is anything else, the webhook will be retried up to three more times at which point the request will be considered failed and will no longer be retried.


Failure conditions

Webflow considers the following scenarios as failure conditions:

  • Non-200 HTTP status code response: If we receive any response other than a valid HTTP 200 response, it is regarded as a failure.
  • Redirects: If the webhook encounters redirects while attempting to deliver the payload, it will be treated as a failure.
  • SSL Certificate Issues: If we cannot successfully negotiate or validate your server’s SSL certificate, it will be marked as a failure.
  • Timeouts: Webflow expects a swift response during webhook delivery. If there are prolonged delays in receiving a response from your server, it will be considered a failure.

Deactivation of webhooks

If Webflow repeatedly encounters failure conditions while attempting to deliver a webhook payload, we will take the following action:

  • Deactivation: We will deactivate your webhook to prevent further delivery attempts.
  • Notification: You will be notified of the webhook deactivation via email.

To reactivate your webhook or if you have any questions regarding a deactivated webhook, please don’t hesitate to reach out to our support team.


Limits

Understanding the limits imposed by Webflow can help you design and manage your webhooks more efficiently:

CriteriaLimitation
Maximum webhooks for a specific trigger_type75
Maximum number of retry attempts after an unsuccessful webhook call3
Interval (in minutes) between each retry10

Event types

This is the full list of webhook events available in Webflow. For complete documentation of webhook events with payloads, please see the webhook events documentation.

EventDescription
form_submissionDetails about a form submission, including form name, site ID, data submitted, submission timestamp, and form ID.
site_publishDetails about a site publish event, including site ID, published timestamp, domains, and user who published the site.
page_createdInformation about a new page event, including site ID, page ID, page title, and creation timestamp.
page_metadata_updatedMetadata of a page is updated and published, including site ID, page ID, page title, and last updated timestamp.
page_deletedInformation about a deleted page, including site ID, page ID, page title, and deletion timestamp.
ecomm_new_orderInformation about a new order, including order ID, status, customer information, shipping details, and purchased items.
ecomm_order_changedDetails about an order that changed, including order ID, status, comments, customer information, and updated order details.
ecomm_inventory_changedInformation about the inventory item that changed, including item ID, quantity, and inventory type.
user_account_addedInformation about a new user account, including user ID, email verification status, account creation date, and status.
user_account_updatedDetails about an updated user account, including user ID, email verification status, last updated timestamp, and access groups.
user_account_deletedInformation about a deleted user account, including user ID, email verification status, and account creation date.
collection_item_createdDetails about a newly created collection item, including item ID, site ID, Workspace ID, collection ID, creation date, and draft status.
collection_item_changedInformation about an updated collection item, including item ID, site ID, Workspace ID, collection ID, last updated date, and item details.
collection_item_deletedDetails about a deleted collection item, including item ID, site ID, Workspace ID, and collection ID.
collection_item_unpublishedInformation about an unpublished collection item, including item ID, site ID, Workspace ID, and collection ID.

Validating request signatures

Webflow provides methods to verify that requests are genuinely coming from the Webflow API by using signatures included in the request headers. These signatures vary based on the creation method of the webhook.

Request headers

  • x-webflow-timestamp : The time the webhook was sent, represented in Unix epoch time format.
  • x-webflow-signature : The request signature, formatted as a SHA-256 HMAC hash. It uses either the site token secret or the OAuth app’s client secret as the signing key.

To ensure the authenticity of a webhook request from Webflow, validate the request signature using the provided headers and your webhook’s associated signing key.

Signing keys

Depending on the creation method of the webhook, you’ll receive a different signing key.

  • Site token secret : For webhooks created through site settings via a site token after April 14, 2025, each webhook will have its own secret key. You’ll need to store this key securely and use it as your signing key.
  • OAuth app client secret : For webhooks created through an OAuth application, you won’t receive a separate secret key. Instead, you’ll use your OAuth app’s client secret as the signing key.

Webflow recommends use of the provided SDK method to verify the incoming webhook requests’ signatures.

As signature implementations are subject to change, Webflow will support updates to the method to ensure smooth transitions for developers. All you will need to do is update the package version to benefit from these changes.

  1. Extract data from the HTTP Request

    • headers : Keep the headers as a record-like object
    • body : Stringify the entire request body
  2. Await the results

    Javascript
    1import express from 'express';
    2import { WebflowClient } from "webflow-api";
    3
    4const webflowClient = new WebflowClient({ accessToken: AUTHTOKEN });
    5const app = express();
    6app.use(express.json());
    7// ...
    8
    9app.post('/FormSubmission', async (req, res) => {
    10 const isValidRequest = await webflowClient.webhooks.verifySignature({
    11 headers: req.headers,
    12 body: JSON.stringify(req.body),
    13 secret: getSigningSecret(FORM_SUBMISSION_SECRET);
    14 });
    15
    16 if (isValidRequest) {
    17 // ...handle the request
    18 } else {
    19 // ...handle malicious request
    20 }
    21
    22 res.sendStatus(200);
    23});

Steps to manually validate the request signature

If you need to validate the request signature without use of the SDK, follow the steps below to achieve the same effect as the SDK method.

  1. Generate the HMAC hash

    • Retrieve the timestamp from the x-webflow-timestamp header.
    • Concatenate the timestamp and the request body with a colon (:) separator. The format should be:
      1timestamp + ":" + JSON.stringify(request_body)
    • Use your OAuth application’s client secret (or your secret key if the webhook is not associated with an OAuth Application) and the SHA-256 hashing algorithm to generate the HMAC hash.
  2. Compare the generated hash with the provided signature
    Compare the generated HMAC hash with the x-webflow-signature header from the request. A match confirms the request’s legitimacy; otherwise, it should be considered potentially tampered with or fraudulent.

  3. Verify the timestamp
    Check the x-webflow-timestamp header to ensure the request is recent. A request older than 5 minutes may indicate a replay attack. Calculate the request’s age as follows:

    1currentTime - Number(request_timestamp)

    If the difference exceeds 5 minutes (300,000 milliseconds), consider the request potentially compromised.

    See below for examples that accept an incoming HTTPS request and validate the signature:

    1const express = require('express');
    2const crypto = require('crypto');
    3const bodyParser = require('body-parser');
    4
    5const app = express();
    6const PORT = 3000;
    7const CLIENT_SECRET = 'your_client_secret'; // Replace with your Webflow OAuth application's client secret
    8
    9app.use(bodyParser.json()); // Parse JSON request bodies
    10
    11app.post('/webhook', (req, res) => {
    12 // Step 1: Extract headers and body from the request
    13 const requestBody = JSON.stringify(req.body);
    14 const timestamp = req.headers['x-webflow-timestamp'];
    15 const providedSignature = req.headers['x-webflow-signature'];
    16
    17 // Step 2: Verify the signature
    18 if (!verifyWebflowSignature(CLIENT_SECRET, timestamp, requestBody, providedSignature)) {
    19 return res.status(400).send('Invalid signature'); // Respond with a 400 Bad Request if verification fails
    20 }
    21
    22 // Process the webhook request as necessary
    23 console.log('Webhook verified and received:', req.body);
    24 res.status(200).send('Webhook received');
    25});
    26
    27function verifyWebflowSignature(clientSecret, timestamp, requestBody, providedSignature) {
    28 try {
    29 // Step 3: Convert the timestamp to an integer
    30 const requestTimestamp = parseInt(timestamp, 10);
    31
    32 // Step 4: Generate the HMAC hash
    33 const data = `${requestTimestamp}:${requestBody}`;
    34 const hash = crypto.createHmac('sha256', clientSecret)
    35 .update(data)
    36 .digest('hex');
    37
    38 // Step 5: Compare the generated hash with the provided signature
    39 if (!crypto.timingSafeEqual(Buffer.from(hash, 'hex'), Buffer.from(providedSignature, 'hex'))) {
    40 throw new Error('Invalid signature');
    41 }
    42
    43 // Step 6: Validate the timestamp (within 5 minutes)
    44 const currentTime = Date.now();
    45 if (currentTime - requestTimestamp > 300000) { // 5 minutes in milliseconds
    46 throw new Error('Request is older than 5 minutes');
    47 }
    48
    49 return true; // The request is valid
    50
    51 } catch (err) {
    52 console.error(`Error verifying signature: ${err.message}`);
    53 return false;
    54 }
    55}
    56
    57app.listen(PORT, () => {
    58 console.log(`Server is running on port ${PORT}`);
    59});
Built with