Flitch
Integrations

Webhook Receiver

Receive JSON payloads pushed from external services in real time.

Gives you a unique URL that external services POST to. For services that emit webhooks (events, form submissions, automations) rather than expose a queryable API. Each payload becomes a row.

Add a source

Open the form

Go to DataAddWebhook Receiver.

Name it and set a signing secret (optional)

  • Name.
  • Signing secret: optional. When set, every request must carry a valid signature (see Securing the endpoint). Leave blank to accept unsigned requests; you can add a secret later.

Create and copy the URL

Flitch generates a unique URL for this connection, for example https://app.flitch.io/api/webhooks/<id>. Copy it.

Point your service at the URL

In the sending service (Stripe, GitHub, a Zapier/Make automation, a custom script), configure a webhook or HTTP POST to this URL with a JSON body.

Send a test event and save

Trigger one event, or run the curl below. The payload appears in the data preview.

Payload shape

Send application/json (form-encoded is also accepted). Each POST body is stored as one row:

  • Nested objects flatten with dot notation: { user: { name: "Ada" } } becomes user.name.
  • Arrays are stored as JSON strings.
  • Three metadata columns are added: _id, _receivedAt, _sourceIp.

The schema is inferred from recent payloads, so send a consistent shape. Differently shaped payloads still store; the table widens to the union of fields.

Retries are de-duplicated. If a request carries an idempotency or delivery header (Idempotency-Key, Webhook-Id, X-GitHub-Delivery, ...) or a top-level event id (id, event_id), Flitch stores it once. A repeat of the same event returns 200 without adding a duplicate row.

Securing the endpoint

Setting a signing secret requires every request to be signed with HMAC-SHA256. Include an X-Webhook-Signature header containing the hex HMAC-SHA256 of the raw request body, keyed with your secret. A sha256= prefix is allowed, and GitHub's X-Hub-Signature-256 header is also accepted. Unsigned or mis-signed requests are rejected with 401.

SECRET='your-signing-secret'
BODY='{"event":"test","data":{"message":"Hello"}}'
SIG=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$SECRET" | sed 's/^.* //')
curl -X POST https://app.flitch.io/api/webhooks/<id> \
  -H "Content-Type: application/json" \
  -H "X-Webhook-Signature: sha256=$SIG" \
  -d "$BODY"

Sign the exact bytes you send. Use printf (not echo, which appends a newline) so the body you sign matches the body you POST.

Add, change, or remove the secret anytime from the connection's Edit connection dialog. Removing it re-opens the endpoint to unsigned requests.

Refresh

There is no refresh. Data is pushed, not pulled, so rows appear as events arrive. Flitch keeps the most recent payloads per connection and rate-limits the endpoint; older events are trimmed automatically.

Troubleshooting

401 Invalid or missing webhook signature. A signing secret is set but the request was not signed correctly. Sign the raw body with HMAC-SHA256 and send it in X-Webhook-Signature, or clear the secret to accept unsigned requests.

Empty payload. The body was empty or not valid JSON. Send a JSON object or a form-encoded body.

429 Too many requests. The endpoint is rate-limited per connection. Slow the sender or batch events.

Payload not showing. Confirm the POST returned 200 and the body is a JSON object, then check the data preview.

OData

Connect any OData v4 service with Basic or OAuth2 client-credentials auth.

Account

Profile, sessions, team, billing, and configuration.

On this page

Add a sourceOpen the formName it and set a signing secret (optional)Create and copy the URLPoint your service at the URLSend a test event and savePayload shapeSecuring the endpointRefreshTroubleshooting