Webhook connectors support exposing a public API endpoint.
Key Capabilities
- Public API endpoint exposure for HTTP POST and PUT data ingestion with modern authentication mechanisms
- User-based rate limiting and concurrent request management with CORS support
- HMAC signature authentication for enhanced security and custom response event scripting
- Sample request templates for XML Map connector integration and workflow automation
Overview
Webhook connectors enable data to enter the flow via HTTP POSTs and PUTs. Each Webhook connector exposes an endpoint in the application where external clients can send XML and JSON payloads. These payloads are written to an output file and passed along to the next connectors in the flow.
You can specify a sample request in the Webhook connector to simplify the process of transforming data that is POSTed to the endpoint. When an XML sample is specified, and the Webhook connector is connected to an XML Map connector in the flow, the XML Map connector automatically detects the expected structure of XML files posted to the endpoint. You can then use the XML Map connector Node Value Editor to map this structure into a target XML structure.
Connector Configuration
This section contains all of the configurable connector properties.
Settings Tab
Connector Details
Settings related to the core operation of the connector.
| Setting | Description |
|---|
| Connector Id | The static, unique identifier for the connector. |
| Connector Type | Displays the connector name and a description of what it does. |
| Connector Description | An optional field to provide a free-form description of the connector and its role in the flow. |
| Webhook Endpoint | The generated URL (based on the connector name) where the endpoint is exposed. |
Advanced Settings
| Setting | Description |
|---|
| Local File Scheme | A scheme for assigning filenames to messages that are output by the connector. You can use macros in your filenames dynamically to include information such as identifiers and timestamps. For more information, see Macros. |
| Enable HMAC Authentication | Check Enabled to use HMAC (Hash-based Message Authentication Code) signature authentication to verify the authenticity and integrity of webhook requests. See HMAC Authentication for details. |
| HMAC Signature Header | The signature header value. By default this is x-cdata-hmac-signature, but you can customize it. |
Request Details Tab
Supply an XML or JSON template representing the expected structure of incoming data. The primary benefit of specifying a sample request is when you connect the Webhook connector to an XML Map connector in the flow. Use XML Map connectors when the API data needs to be converted into some other format, like an EDI document or a database insert.
The XML Map connector detects the XML structure of the sample request and uses this as the Source File for the XML Map connector. Upload the XML structure representing the target format as the Destination File, then use the Node Value Editor to convert the source structure into the destination.
Users Tab
The Users tab lets you:
- Create users with their associated authtokens and OAuth 2.0 credentials
- Define POST and/or PUT privileges
- Specify how many requests each user can make per hour
- Specify how many concurrent requests are permitted
You can add, edit, and delete users on this tab. See Add or Edit Users for details on each field.
The request settings here override settings in the
Default Rate Limits section of the
Server tab.
Server Tab
Trusted IP Addresses
Default Rate Limits (Per User)
Settings restricting the number of requests allowed, if no values have been provided on the Users tab.
| Setting | Description |
|---|
| Max Requests Per Hour | The limit to the number of requests a single user can issue in an hour. |
| Max Concurrent Requests | The limit to the number of concurrent requests a user can issue. |
Cross-Origin Resource Sharing (CORS)
Settings governing the use of CORS to serve cross-origin resources.
Advanced Settings
| Setting | Description |
|---|
| Authtoken in URL | Check this to allow the connector to pass the authtoken in query string parameters for authentication. See Using Auth Tokens as Query String Parameters for more information. |
Advanced Tab
Logging
Miscellaneous
Alerts Tab
SLAs Tab
HMAC Authentication
HMAC (Hash-based Message Authentication Code) signature authentication is a cryptographic method that verifies the authenticity and integrity of webhook requests. It uses a shared secret key to generate a unique signature for each request, ensuring:
- Request Authenticity: Confirms the request originated from a trusted source
- Data Integrity: Verifies that the request payload hasn’t been tampered with during transmission
- Replay Attack Prevention: Protects against malicious reuse of intercepted requests
This provides significantly stronger security compared to traditional authentication methods like basic authentication or API keys, which can be more easily compromised.
Users with Professional or Enterprise licenses can enable HMAC signature authentication for incoming webhook requests.
Configuration
HMAC authentication is a global setting that applies to every user authorized to access the webhook.
- Enable HMAC Authentication
- Check Enable HMAC Authentication in the webhook connector settings.
- Optionally, customize the HMAC Signature Header value (the default is
x-cdata-hmac-signature).
Set HMAC Keys for Users
After enabling HMAC authentication:
- Navigate to the Users tab of the webhook connector.
- Configure the HMAC key each authorized webhook user:
- An HMAC key is automatically generated for each user. You can override the auto-generated key with a custom value. Each user must use their assigned HMAC key to generate valid signatures for their webhook requests.
Auth Token Authentication
Users can access Webhook resources by providing authtokens with requests. Manage users and authtokens by adding or editing a user on the Users tab, and navigating to the Authentication tab.
Before users can call the Webhook endpoint, you must also set trusted IP addresses for connections. Set these in the Trusted IP Addresses section of the Server tab. By default, all IP addresses are restricted.
Using Auth Tokens in Basic Authentication
Enter the user’s authtoken as the password when using Basic Authentication.
Add the HTTP header x-{companyName}-authtoken with the authtoken as part of the HTTP request.
Using Auth Tokens as Query String Parameters
To allow the connector to pass the authtoken in query string parameters, check Allow authtoken in URL in the Advanced Settings section of the Server tab.
After enabling this feature, you can specify the authtoken as the value of the @authtoken parameter, which you supply as part of the HTTP form-post data or as a query parameter.
OAuth 2.0 Authentication
Users can secure Webhook resources using OAuth 2.0 authentication. Manage users and OAuth credentials by adding or editing a user on the Users tab, and navigating to the Authentication tab.
Receiving Data
When data is uploaded to the webhook endpoint, the body of the web request is written as an output file and passed along to the next connector in the flow. This allows for a flexible method of invoking an workflow via an external API call.
Data uploaded to the endpoint is not validated in the Webhook connector, and should be validated later in the flow if necessary.
Custom Responses
Ordinarily, the Webhook connector accepts the post data with a token response that the request was accepted, but you can customize the response by using the Response event, where the _request, _httpheaders, _response, and _message special items are available. When specified, the connector expects the custom response to be provided through the _response item.
You can also use the Response event to push custom output items using the following attributes:
- Filename: The filename of the output message to pass down the flow.
- Data: The data to include in the message that is passed down the flow. For binary data, use the Base64Data attribute instead.
- Base64Data: The Base64-encoded data to include in the message that is passed down the flow.
- HeaderNames#: A list of header names to include on the message that is passed down the flow. Use the HeaderValues attribute to specify values for these headers at the matching index.
- HeaderValues#: A list of header values to include on the message that is passed down the flow. These values are used for the header names defined at the matching index in the HeaderNames list.
- Logs#: A list of log entries to include in the logs for the transaction.
Response Examples
To push a file containing the body of the webhook request, with a custom filename and header, down the flow, the Script in the Response event might look like this:
<arc:set attr="out.Filename" value="MyCustomFilename.xml" />
<arc:set attr="out.Data" value="[_message.body]" />
<arc:set attr="out.HeaderNames#1" value="MyHeader1" />
<arc:set attr="out.HeaderValue#1" value="MyHeader1Value" />
<arc:push item="out" />
Response event might look like this:
<arc:set attr="_message.header:MySpecialHeader" value="[_httpheaders.MyWebhookHeader]" />
<arc:set attr="_response.header:Content-Type" value="application/xml" />
<arc:set attr="_response.write" value="<Status>Successfully processed message with MySpecialHeader=[_message.header:MySpecialHeader]</Status>" />
Response event, a client can send a request similar to the following:
POST https://localhost/connector/Webhook1/webhook.rsb HTTP/1.1
content-type: application/xml
X-{siteNameShort}-Authtoken: 1s7U4w0a2P3l8v9W3l0q
MyWebhookHeader: Hello World!
<Items>
<Webhook>Hello World!</Webhook>
</Items>
HTTP/1.1 200 OK
Connection: close
Date: Tue, 31 Aug 2021 19:16:13 GMT
X-Frame-Options: SAMEORIGIN
Content-Type: application/xml
Content-Length: 81
Server: Jetty(9.4.z-SNAPSHOT)
<Status>Successfully processed message with MySpecialHeader=Hello World!</Status>
Macros
Examples
