Webhooks
The webhook endpoint receives events from external services like Stripe, GitHub, PayPal, and Twilio. Each webhook trigger has a unique URL that external services post to.
POST
/hooks/:triggerIdReceive an external webhook event. No Bearer auth required — verified by signature.
Verification Flow
- Connector dispatch — If the trigger has a
servicefield and the connector is available, the webhook is dispatched to the connector for service-specific signature verification and rich event parsing. - Built-in verification — If no connector is available, the built-in verifier checks the HMAC signature using the trigger’s
secret. - No secret — If no secret is configured, the webhook fires but a warning is logged for audit purposes.
Supported Services
| Service | Signature Header | Verification |
|---|---|---|
| Stripe | Stripe-Signature | HMAC-SHA256 with timestamp |
| GitHub | X-Hub-Signature-256 | HMAC-SHA256 |
| PayPal | PayPal headers | PayPal webhook verification API |
| Twilio | X-Twilio-Signature | HMAC-SHA1 |
| Generic | X-Signature | HMAC-SHA256 |
Setting Up a Webhook
curl -X POST http://127.0.0.1:7741/triggers \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"type": "webhook",
"config": {
"service": "github",
"secret": "your-webhook-secret"
},
"action": {
"type": "shell",
"command": "jeriko github hook"
},
"label": "GitHub push events"
}'200Response
{
"ok": true,
"data": {
"trigger_id": "4eae23a1"
}
}Failed Verification
If signature verification fails, the endpoint returns 200 OK with the trigger ID but does not fire the action. This prevents external services from retrying indefinitely.