Webhooks

Webhooks let you receive an HTTP POST notification the moment content is published in your FlareBuilder organization. Use them to trigger site rebuilds, sync to external systems, or automate any downstream workflow.

Event

FlareBuilder sends one webhook event:

Event	Trigger
content_published	A content item is published for the first time

The webhook fires when a content item transitions from unpublished to published — either when created with a publish date, or when a draft is explicitly published.

Payload

Every delivery is a JSON POST with this structure:

{
  "event": "content_published",
  "timestamp": 1739260800,
  "webhook_id": "wh_k7x3mz9q",
  "data": {
    "id": "011a1262-8675-486f-a3e1-9c62ca273f5e",
    "tenant_id": "your-tenant-id",
    "title": "Quarterly Update",
    "slug": "quarterly-update",
    "status": "published",
    "author_id": "e0222f20-6379-4fe3-a7a4-333f40e03ed4",
    "created_at": "2026-02-12T15:53:52.000Z",
    "updated_at": "2026-02-12T16:00:00.000Z",
    "published_at": "2026-02-12T16:00:00.000Z",
    "tags": ["news", "featured"],
    "fields": []
  }
}

Field	Type	Description
event	string	Always content_published
timestamp	number	Unix timestamp in seconds (when the event fired)
webhook_id	string	ID of the webhook that delivered this event
data	object	The published content item
data.id	string	Content item UUID
data.slug	string	URL slug
data.status	string	Always published for this event
data.tags	string[]	Tag names
data.fields	array	Custom template field values

Note

The data object contains the raw content item as stored internally. To retrieve the full formatted content including sections and rich text fields, fetch the item from the Feed API using its permalink: GET https://your-org.flarebuilder.com/p/{data.id}.

Signature Verification

Every delivery includes an X-Webhook-Signature header so you can confirm the request came from FlareBuilder.

Header: X-Webhook-Signature Format: sha256={hex_digest} Algorithm: HMAC-SHA256 of the raw request body, keyed with your webhook secret

X-Webhook-Signature: sha256=3d4a8f1c...

Verifying in your endpoint

Node.js

import crypto from 'crypto';

// In your POST handler:
const rawBody = await request.text();
const signature = request.headers.get('x-webhook-signature');
const expected = 'sha256=' + crypto
  .createHmac('sha256', process.env.WEBHOOK_SECRET)
  .update(rawBody)
  .digest('hex');

if (signature !== expected) {
  return new Response('Invalid signature', { status: 401 });
}

const event = JSON.parse(rawBody);

Cloudflare Worker

async function verifySignature(request, secret) {
  const rawBody = await request.text();
  const signature = request.headers.get('x-webhook-signature');

  const encoder = new TextEncoder();
  const key = await crypto.subtle.importKey(
    'raw',
    encoder.encode(secret),
    { name: 'HMAC', hash: 'SHA-256' },
    false,
    ['sign']
  );
  const sig = await crypto.subtle.sign('HMAC', key, encoder.encode(rawBody));
  const hex = Array.from(new Uint8Array(sig))
    .map(b => b.toString(16).padStart(2, '0'))
    .join('');
  const expected = `sha256=${hex}`;

  return signature === expected;
}

Python

import hmac
import hashlib

def verify_signature(raw_body: bytes, signature: str, secret: str) -> bool:
    expected = 'sha256=' + hmac.new(
        secret.encode(),
        raw_body,
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(signature, expected)

# In your handler:
raw_body = await request.body()
signature = request.headers.get('x-webhook-signature', '')
if not verify_signature(raw_body, signature, WEBHOOK_SECRET):
    return Response('Invalid signature', status_code=401)

Caution

Always verify the signature before processing the payload. Use a constant-time comparison (hmac.compare_digest in Python, timingSafeEqual in Node.js) to prevent timing attacks.

Setup

Webhooks are managed from the Integrations page in your FlareBuilder workspace.

1. Navigate to Integrations in your workspace sidebar.
2. In the Webhooks section, click Add Webhook.
3. Enter your endpoint URL.
4. Select the template types this webhook should fire for. At least one must be selected — the webhook only fires when content of a matching template is published.
5. Click Save. Your webhook secret (format: whsec_...) is shown once — copy it now and store it securely.

Caution

The webhook secret is only displayed at creation time. If you lose it, you must delete the webhook and create a new one.

Template Filtering

Each webhook is scoped to one or more content template types. When content is published, FlareBuilder checks whether the content’s template matches any of the webhook’s selected templates — if it doesn’t match, the webhook does not fire.

This lets you send different events to different endpoints. For example:

• One webhook for Blog Post → triggers a blog site rebuild
• Another webhook for Event → syncs to a calendar service

Delivery Behavior

Aspect	Behavior
Method	POST
Content-Type	application/json
User-Agent	FlareBuilder/1.0
Timeout	5 seconds
Retries	None — delivery is fire-and-forget
Parallel delivery	Multiple webhooks fire simultaneously

Note

FlareBuilder does not retry failed deliveries. If your endpoint is temporarily unavailable or returns a non-2xx status, the delivery is lost. Design your endpoint to be idempotent and highly available, or use a queue (e.g. a Cloudflare Queue or a service like Inngest) to buffer events.

Testing

From the Integrations page, use the Test button next to any webhook to send a sample content_published payload to your endpoint. The test uses the same signature verification as real deliveries — your endpoint will see a valid X-Webhook-Signature header.

For testing against a temporary public URL during development, see the Webhook Testing guide.

Disabling a Webhook

Toggle the Enabled switch on any webhook in the Integrations page to pause deliveries without deleting the configuration. Disabled webhooks are skipped entirely — no delivery is attempted.