Open
Conversation
* feat(ambient-agents): Add webhook trigger UI on start node, handles in both canvas, agentflow is out of scope but shows temporary ui * fix: resolve webhookURL copy button not appearing after first save useParams() does not update when window.history.replaceState() is used on first save (bypasses React Router). Fall back to Redux canvas.chatflow.id so NodeInputHandler re-renders reactively when SET_CHATFLOW is dispatched.
* feat(webhooks): add server route and validation for webhook trigger
- POST /api/v1/webhook/:id route (accepts all HTTP methods via router.all)
- Validates chatflow exists and is configured as webhookTrigger, returns 404 otherwise
- Wraps raw webhook payload as incomingInput.webhook for buildAgentflow
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(agentflow): wire up webhook flow execution (FLOWISE-366)
- Resolve {{ $webhook.field }} template variables in agentflow nodes
- Add required body param validation in webhook service
- Whitelist /api/v1/webhook/ to bypass global auth middleware
- Set $input to JSON payload in custom function nodes for webhook flows
- Add $webhook. autocomplete suggestions in node editors
- Unit tests for body param validation and pre-mutation body pass-through
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(webhooks): namespace webhook payload under $webhook.body.*
- Wrap webhook body as { webhook: { body } } in controller so $webhook.body.*,
$webhook.headers.*, and $webhook.query.* can coexist as distinct namespaces
- Update suggestion option IDs/labels in UI from $webhook.* to $webhook.body.*
- Restrict webhookTrigger start option to agentflowv2 client only
- Remove static webhookURL placeholder from NodeInputHandler (agentflow)
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(ambient-agents): Add webhook trigger UI on start node, handles in both canvas, agentflow is out of scope but shows temporary ui * fix: resolve webhookURL copy button not appearing after first save useParams() does not update when window.history.replaceState() is used on first save (bypasses React Router). Fall back to Redux canvas.chatflow.id so NodeInputHandler re-renders reactively when SET_CHATFLOW is dispatched. * feat(webhooks): add headers, query params & body validation to webhook trigger - Add webhookTrigger input type to Start node with HTTP method, content type, and expected headers/query/body param configuration - New /api/v1/webhook/:id route with method, content-type, header, body, and query param validation (400/405/415 on mismatch) - Namespace webhook payload as $webhook.body.*, $webhook.headers.*, $webhook.query.* in the flow runtime - Resolve $webhook.* variables in downstream nodes via buildAgentflow.ts - Auto-unwrap form-encoded `payload` JSON strings (e.g. GitHub webhooks) so $webhook.body.* paths work regardless of content type - Expose webhook variable suggestions in the node variable picker - Show copyable webhook URL in the Start node canvas UI * fixed a bug where downstream nodes cant reference values via node id, and a lowercase headers issue
* feat: add webhook secret & HMAC signature verification to webhook trigger
Adds server-side webhook secret management (generate/clear/verify) and a
UI control in the Start node for configuring the secret, signature header,
and signature type (HMAC-SHA256 or plain token). Raw request body is now
captured before JSON parsing so HMAC signatures can be verified against the
original bytes. Migrations added for all four supported databases.
* fix: accept string-coerced numbers and booleans in webhook body type validation
application/x-www-form-urlencoded payloads deliver all values as strings,
so the strict typeof check was incorrectly rejecting valid numeric ("42")
and boolean ("true"/"false") values. Updated the filter to coerce and
validate instead, with tests covering both JSON and form-encoded cases.
* fix: prevent mass-assignment of webhookSecret fields in chatflow create/update
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Added HITL support for webhooks * feat: add async callback URL to webhook trigger Optional Callback URL / Secret on the Start node (or x-callback-url header). Webhook now returns 202 immediately and POSTs SUCCESS, STOPPED (HITL), or ERROR to the callback URL, signed with HMAC-SHA256 when a secret is set. Retries 3x with 0s/3s/6s backoff. * used getErrorMessage for error messages
#6273) * feat: add webhook secret & HMAC signature verification to webhook trigger Adds server-side webhook secret management (generate/clear/verify) and a UI control in the Start node for configuring the secret, signature header, and signature type (HMAC-SHA256 or plain token). Raw request body is now captured before JSON parsing so HMAC signatures can be verified against the original bytes. Migrations added for all four supported databases. * fix: accept string-coerced numbers and booleans in webhook body type validation application/x-www-form-urlencoded payloads deliver all values as strings, so the strict typeof check was incorrectly rejecting valid numeric ("42") and boolean ("true"/"false") values. Updated the filter to coerce and validate instead, with tests covering both JSON and form-encoded cases. * Added HITL support for webhooks * feat: add async callback URL to webhook trigger Optional Callback URL / Secret on the Start node (or x-callback-url header). Webhook now returns 202 immediately and POSTs SUCCESS, STOPPED (HITL), or ERROR to the callback URL, signed with HMAC-SHA256 when a secret is set. Retries 3x with 0s/3s/6s backoff. * feat: add object/array body param types and per-option show/hide on dropdowns - Add object, array[string/number/boolean/object] as webhook body param types, available when content type is application/json - Extend options fields with show/hide conditions so individual dropdown choices can be hidden based on other param values
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a 'Webhook Trigger' start node for Agentflows, allowing workflows to be initiated via external HTTP requests. Key features include support for HMAC and plain token signature verification, individual option-level visibility filtering based on conditions, and an asynchronous callback mechanism for long-running flows. The implementation covers core logic, server-side controllers and services, database schema updates, and UI enhancements for configuration and variable suggestions. Feedback identifies a potential failure in signature verification for requests without a body and suggests utilizing a persistent task queue instead of setImmediate for more robust background execution of flows.
Remove the x-callback-url header override that allowed any external caller to control where the server sends POST requests. Callback URL now only comes from the Start node config (authenticated users). Add checkDenyList validation to block callback URLs targeting private networks, cloud metadata endpoints, and loopback addresses.
jchui-wd
requested review from
0xi4o,
HenryHengZJ,
harshit-flowise,
henry-heng-wd and
yau-wd
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
|
I have deployed on dev and tested the scenarios below DEV Webhook Testwebhooks-wrong-trigger-type.mp4 webhooks-wrong-trigger-type.mp4webhooks-secret-plain-token.mp4 webhooks-secret-plain-token.mp4webhooks-secret-HMAC-working.mp4 webhooks-secret-HMAC-working.mp4webhooks-missing-required-body-param.mp4 webhooks-missing-required-body-param.mp4webhooks-missing-query-params.mp4 webhooks-missing-query-params.mp4webhooks-invalid-webhook-id.mp4 webhooks-invalid-webhook-id.mp4webhooks-hitl-and-callbacks.mp4 webhooks-hitl-and-callbacks.mp4webhooks-happy-path-autofill-query-body.mp4 webhooks-happy-path-autofill-query-body.mp4webhooks-callback-urls.mp4 webhooks-callback-urls.mp4webhooks-call-back-secrets.mp4 webhooks-call-back-secrets.mp4 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Webhook Trigger for Agentflows
Adds full webhook trigger support to agentflows, allowing external systems to invoke flows via HTTP. Collects PRs #6068, #6164, #6217, #6227, #6263, #6273.
Trigger configuration — A new Webhook Trigger input type on the Start node exposes a copyable webhook URL and lets you declare expected body params, headers, query params, HTTP method, and content type. Individual dropdown options can be shown/hidden based on other param values.
Execution — POST /api/v1/webhook/:id runs the flow. The full payload is accessible in any node via {{ $webhook.body.* }}, {{ $webhook.headers.* }}, and {{ $webhook.query.* }}, with autocomplete support. Returns 404 / 405 / 415 / 400 for misconfigured or invalid requests.
Secrets & signature verification — Opt-in HMAC-SHA256/SHA1 (GitHub, Stripe, Slack) and plain token (GitLab) verification. Secrets are stored encrypted; the UI shows the plaintext only on generation.
Async + HITL — Supports Human-in-the-Loop flows. When a callback URL is configured, the webhook returns 202 immediately and POSTs the result (SUCCESS / STOPPED / ERROR) to the callback URL once the flow finishes, optionally signed with HMAC-SHA256.
Body param types — Supported types: string, number, boolean, object, array[string], array[number], array[boolean], array[object]. Complex types are only available for application/json content type.
Videos
Happy Path Before Testing on Dev
344-Callback-Happy-Path.mp4
344-Callback-Webhooks-Happy-Path.mp4
DEV Webhook Test
webhooks-wrong-trigger-type.mp4
webhooks-wrong-trigger-type.mp4
webhooks-secret-plain-token.mp4
webhooks-secret-plain-token.mp4
webhooks-secret-HMAC-working.mp4
webhooks-secret-HMAC-working.mp4
webhooks-missing-required-body-param.mp4
webhooks-missing-required-body-param.mp4
webhooks-missing-query-params.mp4
webhooks-missing-query-params.mp4
webhooks-invalid-webhook-id.mp4
webhooks-invalid-webhook-id.mp4
webhooks-hitl-and-callbacks.mp4
webhooks-hitl-and-callbacks.mp4
webhooks-happy-path-autofill-query-body.mp4
webhooks-happy-path-autofill-query-body.mp4
webhooks-callback-urls.mp4
webhooks-callback-urls.mp4
webhooks-call-back-secrets.mp4
webhooks-call-back-secrets.mp4
Screenshots