๐ก How Webhooks Work
Webhooks allow FlowCMS to send HTTP POST requests to your configured endpoints whenever specific events occur. Unlike polling, webhooks push data to you in real-time, ensuring your systems stay synchronized without unnecessary API calls.
๐ Supported Events
Subscribe to the events that matter to your application. You can filter events by content type, workspace, or user role.
| Event Type | Triggered When | Category |
|---|---|---|
content.published |
A draft is published to a live channel | Content |
content.draft_created |
A new draft is saved or created | Content |
content.deleted |
Content is permanently removed | Content |
user.login |
A workspace member authenticates | Auth |
media.uploaded |
An asset is added to the media library | Media |
workflow.approved |
Content passes an approval stage | Workflow |
webhook.failed |
A webhook delivery exceeds max retries | System |
๐ฆ Payload Structure
Every webhook request contains a consistent JSON payload with metadata, the event type, and the affected resource. All payloads include an ID, timestamp, and signature verification header.
{
"id": "evt_8xK9mP2vQw7nL4jR",
"type": "content.published",
"timestamp": "2025-04-12T14:32:09Z",
"workspace_id": "ws_aB3dE5fG",
"data": {
"content_id": "cnt_9X2mKpLq",
"title": "Q2 Product Launch Guide",
"author": {
"id": "usr_mN7pQ2rS",
"name": "Sarah Chen"
},
"previous_status": "draft",
"current_status": "published",
"url": "https://app.flowcms.io/content/cnt_9X2mKpLq"
}
}X-FlowCMS-Signature header using your webhook secret. Never process unsigned payloads in production.๐ Security & Verification
FlowCMS signs every webhook payload using HMAC-SHA256. Include your webhook secret to verify the signature before processing the event.
Extract Signature
Read the X-FlowCMS-Signature header from the incoming HTTP request.
Compute HMAC
Generate HMAC-SHA256 of the raw request body using your webhook secret.
Compare Safely
Use a constant-time comparison function to prevent timing attacks.
const crypto = require('crypto');
const secret = process.env.FLOWCMS_WEBHOOK_SECRET;
function verifyWebhook(payload, signature) {
const hmac = crypto.createHmac('sha256', secret);
hmac.update(payload, 'utf8');
const digest = hmac.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(digest)
);
}โ๏ธ Configuration Guide
Set up webhooks in minutes through the FlowCMS dashboard or via our API. Configure endpoints, event filters, retry policies, and dead-letter queues.
๐ฅ Dashboard Setup
- Navigate to Settings โ Integrations โ Webhooks
- Click "New Webhook" and paste your endpoint URL
- Select event filters and configure retry behavior
- Save and copy your Webhook Secret for signature verification
https://webhook.site or our built-in Event Inspector to test payloads before deploying to production.โ Frequently Asked Questions
We retry failed deliveries up to 5 times using exponential backoff (1m, 5m, 30m, 2h, 24h). If all retries fail, the event is moved to the Dead-Letter Queue (DLQ) and triggers a webhook.failed event for manual inspection.
Yes. The dashboard supports dynamic filtering by content type, workspace, author role, and custom metadata. You can also use the API to define JSON rule-based filters.
Standard webhook payloads are limited to 256KB. For media-heavy events, we include reference URLs instead of inline binary data. Large attachments can be fetched via the provided CDN links.
FlowCMS enforces a fair-use rate limit of 300 requests per minute per endpoint. Burst traffic is automatically queued and delivered in order. Upgrade to Enterprise for custom throughput limits.