Testing Webhooks

Before building a real webhook receiver, you can use webhook.site to get a temporary public URL that captures every incoming request and lets you inspect the headers and payload in real time. No sign-up required, no code needed.

This guide walks through the full loop: get a URL, register it in FlareBuilder, trigger a delivery, inspect what arrived, and verify the signature.

Step 1: Get a Temporary URL

Open webhook.site in your browser.
You’ll immediately see a unique URL like:
```
https://webhook.site/a1b2c3d4-e5f6-7890-abcd-ef1234567890
```
This URL is ready to receive requests right now. Leave this tab open — deliveries appear here in real time.
Copy the URL.

Step 2: Register the Webhook in FlareBuilder

In your FlareBuilder workspace, navigate to Integrations in the sidebar.
In the Webhooks section, click Add Webhook.
Paste your webhook.site URL into the Endpoint URL field.
Under Template Types, select at least one template (e.g. “Blog Post”). The webhook only fires for content of the selected types.
Click Save.
FlareBuilder displays your webhook secret — it looks like:
```
whsec_4f3a8c2e1d9b7f6a...
```
Copy it now. It will not be shown again.

Step 3: Send a Test Delivery

You don’t need to publish real content to trigger a test. FlareBuilder has a built-in test button:

In the Webhooks section of the Integrations page, find your new webhook.
Click the Test button. FlareBuilder sends a sample content_published payload to your endpoint immediately.
Switch back to your webhook.site tab — you should see a new request appear within a second or two.

Step 4: Inspect the Delivery

Click the request in webhook.site to expand it. Here’s what you’ll find:

Headers

Header	Value
`content-type`	`application/json`
`x-webhook-signature`	`sha256=3d4a8f1c...`
`user-agent`	`FlareBuilder/1.0`

The x-webhook-signature header is how you’ll verify authenticity in your real endpoint.

Body

The payload will look like this:

{
  "event": "content_published",
  "timestamp": 1739260800,
  "webhook_id": "wh_k7x3mz9q",
  "data": {
    "id": "sample_content_123",
    "tenant_id": "your-tenant-id",
    "title": "Sample ContentItem",
    "slug": "sample-contentItem",
    "status": "published",
    "author_id": "sample_user",
    "created_at": "2026-02-12T16:00:00.000Z",
    "updated_at": "2026-02-12T16:00:00.000Z",
    "published_at": "2026-02-12T16:00:00.000Z",
    "tags": [],
    "fields": []
  }
}

data contains the published content item. For a real delivery (not a test), this will be the actual content item that was published.

Step 5: Verify the Signature

Now that you can see the exact request body and the x-webhook-signature header value, you can manually verify that your secret produces the correct signature.

Node.js (script)
Browser console

Copy the raw request body from webhook.site’s Raw tab. Then run this script locally:

import crypto from 'crypto';

// Paste these from webhook.site:
const rawBody = `{"event":"content_published","timestamp":1739260800,...}`;
const receivedSig = 'sha256=3d4a8f1c...'; // from x-webhook-signature header

// Your webhook secret from FlareBuilder:
const secret = 'whsec_4f3a8c2e1d9b7f6a...';

const expected = 'sha256=' + crypto
  .createHmac('sha256', secret)
  .update(rawBody)
  .digest('hex');

console.log('Match:', receivedSig === expected);
console.log('Expected:', expected);
console.log('Received:', receivedSig);

Run with node verify.mjs. If it prints Match: true, your secret and signature logic are correct.

Paste this into your browser’s developer console. Replace the values with what you see in webhook.site:

async function verify(rawBody, receivedSig, secret) {
  const encoder = new TextEncoder();
  const key = await crypto.subtle.importKey(
    'raw', encoder.encode(secret),
    { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']
  );
  const sig = await crypto.subtle.sign('HMAC', key, encoder.encode(rawBody));
  const hex = Array.from(new Uint8Array(sig))
    .map(b => b.toString(16).padStart(2, '0')).join('');
  const expected = `sha256=${hex}`;
  console.log('Match:', receivedSig === expected);
  console.log('Expected:', expected);
}

verify(
  '{"event":"content_published",...}', // raw body from webhook.site
  'sha256=3d4a8f1c...',                 // x-webhook-signature value
  'whsec_4f3a8c2e...'                   // your webhook secret
);

Step 6: Build Your Real Endpoint

Once you’ve confirmed the payload shape and verified the signature logic, replace the webhook.site URL with your real endpoint.

Here’s a minimal receiver as a starting point:

Cloudflare Worker
Node.js / Express

export default {
  async fetch(request) {
    if (request.method !== 'POST') {
      return new Response('Method not allowed', { status: 405 });
    }

    const rawBody = await request.text();
    const signature = request.headers.get('x-webhook-signature') ?? '';

    // Verify signature
    const encoder = new TextEncoder();
    const key = await crypto.subtle.importKey(
      'raw', encoder.encode(WEBHOOK_SECRET),
      { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']
    );
    const sig = await crypto.subtle.sign('HMAC', key, encoder.encode(rawBody));
    const expected = 'sha256=' + Array.from(new Uint8Array(sig))
      .map(b => b.toString(16).padStart(2, '0')).join('');

    if (signature !== expected) {
      return new Response('Invalid signature', { status: 401 });
    }

    const event = JSON.parse(rawBody);

    if (event.event === 'content_published') {
      // Trigger your rebuild, sync, or other workflow here
      console.log('Published:', event.data.title, event.data.id);
    }

    return new Response('OK', { status: 200 });
  }
};

import express from 'express';
import crypto from 'crypto';

const app = express();

// Use raw body parser so we get the exact bytes for signature verification
app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
  const rawBody = req.body.toString('utf8');
  const signature = req.headers['x-webhook-signature'] ?? '';
  const expected = 'sha256=' + crypto
    .createHmac('sha256', process.env.WEBHOOK_SECRET)
    .update(rawBody)
    .digest('hex');

  if (signature !== expected) {
    return res.status(401).send('Invalid signature');
  }

  const event = JSON.parse(rawBody);

  if (event.event === 'content_published') {
    // Trigger rebuild, sync, etc.
    console.log('Published:', event.data.title);
  }

  res.status(200).send('OK');
});

app.listen(3000);

Switching to Your Production URL

Deploy your endpoint and confirm it’s publicly reachable.
In FlareBuilder, go to Integrations → find your webhook → click Edit.
Replace the webhook.site URL with your production endpoint URL.
Click Test again to confirm the new endpoint receives and processes the delivery correctly.
Publish a real content item to trigger a live delivery.

Troubleshooting

webhook.site didn’t receive anything after clicking Test Check that your webhook is Enabled (the toggle in the Integrations page should be on). Also confirm the URL you pasted matches exactly what webhook.site shows.

Signature verification is failing Make sure you’re signing the raw request body bytes, not a re-parsed/re-serialized version. Any whitespace difference between the original body and a re-serialized copy will produce a different signature.

The delivery timed out FlareBuilder has a 5-second timeout per delivery. If your endpoint takes longer than that to respond, the delivery is marked as failed. webhook.site responds in milliseconds, so this won’t be an issue there — but watch for slow cold starts in serverless environments.

I lost my webhook secret Delete the webhook and create a new one. The secret is only shown at creation time and cannot be retrieved later.