How do I verify the Webflow signature?

Use the verifyWebflowSignature function with the raw request body, x-webflow-signature, x-webflow-timestamp, and your secret. Ensure you use express.raw to obtain the exact raw body and enforce a 5-minute replay protection window.

What events should I expect to handle?

Common events include form_submission, site_publish, ecomm_new_order, collection_item_created, collection_item_changed, and collection_item_deleted. Handle each case in a switch to trigger appropriate workflows.

How can I test Webflow webhooks locally?

Install Hookdeck CLI and run hookdeck listen --path /webhooks/webflow to expose a local tunnel, then send test webhooks from Webflow or a tool like Postman using the same headers and body format.

webflow-webhooks

Scanned

npx machina-cli add skill hookdeck/webhook-skills/webflow-webhooks --openclaw

Files (1)

SKILL.md

6.5 KB

Webflow Webhooks

When to Use This Skill

How do I receive Webflow webhooks?
How do I verify Webflow webhook signatures?
How do I handle form_submission events from Webflow?
How do I process Webflow ecommerce order events?
Why is my Webflow webhook signature verification failing?
Setting up Webflow CMS collection item webhooks

Essential Code

Signature Verification (Manual)

const crypto = require('crypto');

function verifyWebflowSignature(rawBody, signature, timestamp, secret) {
  // Check timestamp to prevent replay attacks (5 minute window - 300000 milliseconds)
  const currentTime = Date.now();
  if (Math.abs(currentTime - parseInt(timestamp)) > 300000) {
    return false;
  }

  // Generate HMAC signature
  const signedContent = `${timestamp}:${rawBody}`;
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(signedContent)
    .digest('hex');

  // Timing-safe comparison
  try {
    return crypto.timingSafeEqual(
      Buffer.from(signature),
      Buffer.from(expectedSignature)
    );
  } catch {
    return false; // Different lengths = invalid
  }
}

Processing Events

app.post('/webhooks/webflow', express.raw({ type: 'application/json' }), (req, res) => {
  const signature = req.headers['x-webflow-signature'];
  const timestamp = req.headers['x-webflow-timestamp'];

  if (!signature || !timestamp) {
    return res.status(400).send('Missing required headers');
  }

  // Verify signature (use OAuth client secret or webhook-specific secret)
  const isValid = verifyWebflowSignature(
    req.body.toString(),
    signature,
    timestamp,
    process.env.WEBFLOW_WEBHOOK_SECRET
  );

  if (!isValid) {
    return res.status(400).send('Invalid signature');
  }

  // Parse the verified payload
  const event = JSON.parse(req.body);

  // Handle different event types
  switch (event.triggerType) {
    case 'form_submission':
      console.log('New form submission:', event.payload.data);
      break;
    case 'ecomm_new_order':
      console.log('New order:', event.payload);
      break;
    case 'collection_item_created':
      console.log('New CMS item:', event.payload);
      break;
    // Add more event handlers as needed
  }

  // Always return 200 to acknowledge receipt
  res.status(200).send('OK');
});

Common Event Types

Event	Triggered When	Use Case
`form_submission`	Form submitted on site	Contact forms, lead capture
`site_publish`	Site is published	Clear caches, trigger builds
`ecomm_new_order`	New ecommerce order	Order processing, inventory
`ecomm_order_changed`	Order status changes	Update fulfillment systems
`collection_item_created`	CMS item created	Content syndication
`collection_item_changed`	CMS item updated	Update external systems
`collection_item_deleted`	CMS item deleted	Remove from external systems

Environment Variables

# For webhooks created via OAuth App
WEBFLOW_WEBHOOK_SECRET=your_oauth_client_secret

# For webhooks created via API (after April 2025)
WEBFLOW_WEBHOOK_SECRET=whsec_xxxxx  # Returned when creating webhook

Local Development

For local webhook testing, install Hookdeck CLI:

# Install via npm
npm install -g hookdeck-cli

# Or via Homebrew
brew install hookdeck/hookdeck/hookdeck

Then start the tunnel:

hookdeck listen 3000 --path /webhooks/webflow

No account required. Provides local tunnel + web UI for inspecting requests.

Resources

What Are Webflow Webhooks - Event types and payload structure
Setting Up Webflow Webhooks - Dashboard configuration and API setup
Signature Verification Details - In-depth verification guide
Express Example - Node.js implementation with tests
Next.js Example - App Router implementation
FastAPI Example - Python implementation

Important Notes

Webhooks created through the Webflow dashboard do NOT include signature headers
Only webhooks created via OAuth apps or API include x-webflow-signature and x-webflow-timestamp
Always use raw body for signature verification, not parsed JSON
Timestamp validation (5 minute window - 300000 milliseconds) is critical to prevent replay attacks
Return 200 status to acknowledge receipt; other statuses trigger retries (up to 3 times)

Recommended: webhook-handler-patterns

This skill pairs well with webhook-handler-patterns for production-ready implementations:

Handler sequence — Request flow and middleware order
Idempotency — Handling duplicate events
Error handling — Graceful failure and recovery
Retry logic — Handling failed processing

Related Skills

stripe-webhooks - Stripe webhook handling with similar HMAC-SHA256 verification
shopify-webhooks - Shopify webhook implementation
github-webhooks - GitHub webhook handling
webhook-handler-patterns - Production patterns for all webhooks
hookdeck-event-gateway - Webhook infrastructure and reliability

Sources:

Source

git clone https://github.com/hookdeck/webhook-skills/blob/main/skills/webflow-webhooks/SKILL.mdView on GitHub

Overview

This skill helps you set up Webflow webhook endpoints, verify signatures, and handle events like form_submission, site_publish, ecomm_new_order, and collection item changes. It covers manual signature verification, event routing, and local development best practices.

How This Skill Works

Webflow sends requests with a raw JSON body and headers x-webflow-signature and x-webflow-timestamp. The skill provides a verifyWebflowSignature function using HMAC-SHA256 and a time window to prevent replay attacks, then parses the verified payload and routes events via a switch on triggerType. Use express.raw to preserve the raw body for accurate verification and respond with 200 OK after processing.

When to Use It

Setting up a webhook endpoint to receive form_submission events from Webflow.
Debugging signature verification when Webflow webhooks fail.
Processing ecomm_new_order events to trigger order fulfillment workflows.
Syncing CMS items on collection_item_created or collection_item_changed.
Triggering builds or cache invalidation when site_publish fires.

Quick Start

Step 1: Create a /webhooks/webflow endpoint and configure WEBFLOW_WEBHOOK_SECRET.
Step 2: Implement verifyWebflowSignature(rawBody, signature, timestamp, secret) and wire it into the route.
Step 3: Parse the verified payload and route events (form_submission, ecomm_new_order, collection_item_created, etc.) with appropriate handlers.

Best Practices

Use express.raw to preserve the raw body for signature verification.
Validate the timestamp with a 5-minute window to prevent replay attacks.
Perform a timing-safe comparison when matching signatures.
Store WEBFLOW_WEBHOOK_SECRET securely (environment variable) and rotate it periodically.
Always respond 200 OK after handling the webhook and log failures for debugging.

Example Use Cases

Handle form_submission to trigger a lead capture workflow and notify the sales team.
Process ecomm_new_order to update inventory and initiate fulfillment.
Sync collection_item_created to an external CMS or search index.
On site_publish, clear caches or trigger a site rebuild.
Handle collection_item_changed to reflect updates in downstream systems.

Frequently Asked Questions

Add this skill to your agents