Sources

A source is the public ingress endpoint for incoming webhook traffic. External systems send HTTP requests to a source URL, and FastHook verifies, stores, inspects, and routes those requests through your connections.

Use one source per producer or workflow, such as github, stripe-billing, shopify-orders, or an internal service. Clear source boundaries make filtering, replay, debugging, and ownership much easier.

Sources list with a generated FastHook source URL — Sources list and generated source URL

What a Source Does

A source gives you a stable webhook URL. When a provider sends a request to that URL, FastHook records the request, marks whether it was accepted or rejected, and queues accepted traffic for the connected destinations.

Sources also carry source-level authentication settings. When authentication is enabled, FastHook verifies the incoming request before it is queued. Failed verification creates a rejected request with Source Auth Failed, so operators can see what happened without accepting untrusted traffic.

Create a Source

Open Sources.
Create a source and give it a name that describes the producer.
Copy the generated source URL.
Paste that URL into the webhook provider as the payload or callback URL.

The source URL is the only URL the provider needs. Routing to destinations is handled later through connections.

Source Authentication

FastHook supports source authentication from the source settings panel:

HMAC verifies a signature header against the raw request body.
Basic Auth verifies an Authorization: Basic ... header.
API Key verifies a shared key in a configurable header.
Provider signature verifies a supported provider contract, such as GitHub, Stripe, Shopify, Slack, Dropbox, Trello, Discord, AWS SNS, and other source types.

When authentication is enabled and verification succeeds, the request is stored with verified: true. When verification fails, the request is rejected before delivery and appears as Source Auth Failed.

For provider-specific setup, use the Source types reference. Each provider page documents allowed HTTP methods, headers, challenge responses, dashboard fields, and official provider documentation links.

Source authentication settings in FastHook — Source authentication settings

HMAC fields

Use HMAC when the provider signs webhook payloads. Configure:

Secret: the same shared secret configured in the provider.
Signature header: the HTTP header that contains the provider signature.
Timestamp header: optional; leave empty when the provider does not send a separate timestamp header.
Prefix: optional prefix that appears before the hex digest in the signature header.

For GitHub webhooks, use:

| Field | Value | | --- | --- | | Authentication Method | HMAC | | Secret | the same value as GitHub webhook Secret | | Signature header | x-hub-signature-256 | | Timestamp header | leave empty | | Prefix | sha256= |

GitHub computes the signature over the raw request body and sends it in X-Hub-Signature-256. FastHook compares that value before queueing the request.

GitHub webhook Secret field configured for FastHook HMAC verification — GitHub webhook Secret configuration

Basic Auth fields

Use Basic Auth when the producer can send a username and password. Configure:

Username
Password

FastHook verifies the incoming Authorization header before accepting the request.

API Key fields

Use API Key when the producer can send a static key in a header. Configure:

Header name, such as x-api-key
API key

FastHook reads the configured header and compares it with the stored key.

Custom Response

FastHook can return a custom response to the webhook provider after an incoming request is accepted and queued. This is useful when a provider expects a specific JSON, text, or XML acknowledgement.

When Customize response is disabled, FastHook returns the default accepted response:

JSON

{
  "ok": true,
  "queued": true,
  "transport": "queue",
  "request_id": "req_..."
}

When Customize response is enabled, configure:

Content type: JSON, TEXT, or XML.
Body: the exact response body FastHook should return with HTTP 200.

The body is required. JSON responses must contain valid JSON before the source can be saved.

Source custom response settings in FastHook — Custom response settings

HTTP Methods

Each source can restrict which HTTP methods are accepted for its source URL. By default, FastHook accepts POST, PUT, PATCH, and DELETE. GET and HEAD are available for providers that need validation or challenge flows.

Provider source types can set safer defaults. Dropbox, Meta, Nylas, and Okta keep GET enabled for challenge requests. Trello keeps HEAD enabled for callback URL validation. Hygraph keeps GET, POST, PUT, and DELETE enabled because its webhook contract can use several methods.

Requests that use a method not selected for the source are rejected before queueing. FastHook records those attempts with rejection_cause: SOURCE_METHOD_NOT_ALLOWED and returns HTTP 405.

Disable or Delete a Source

You can disable a source from the source edit panel when you need to pause inbound traffic without deleting the source configuration.

Disabled sources reject all incoming requests to the source URL. FastHook records those attempts as rejected requests with rejection_cause: SOURCE_DISABLED and returns HTTP 410.

Delete a source only when the source should no longer be used. Deleted sources are removed from the dashboard, and requests to the old source URL no longer resolve to a source.

Inspect Requests From a Source

The Requests view shows accepted and rejected requests for every source. The Source column displays the source name, and the source filter uses the same readable source names in the UI.

The Verified column shows whether FastHook verified source authentication for the request. Accepted authenticated requests show Verified in the dashboard and verified: true in the API response. Requests that were not authenticated show Unverified. Rejected requests caused by source authentication failures use rejection_cause: SOURCE_AUTH_FAILED.

Requests table filtered by source with verified traffic

Operational Guidance

Use clear names that reflect the producer or workflow, such as github, stripe-billing, or shopify-orders.
Enable source authentication when the provider supports signatures, Basic Auth, or API keys.
Keep only the HTTP methods your provider actually uses.
Store provider secrets securely and rotate them when access changes.
Disable a source when you need to pause new inbound traffic without deleting source configuration.
Delete a source when the source URL should stop resolving permanently.
Use the Requests view to confirm whether a request was accepted, rejected, or failed authentication.

API Notes

Source and destination responses include their saved config directly. For sources, authentication settings are exposed in config.auth_type and config.auth; no special include query parameter is required.

Sources also expose config.custom_response. Set it to null to use the default accepted response, or set { "content_type": "json" | "text" | "xml", "body": "..." } to return a custom response body after queueing.

Use config.allowed_http_methods to control accepted methods. The value must contain at least one of HEAD, GET, POST, PUT, PATCH, or DELETE.

Use POST /sources/:id/disable and POST /sources/:id/enable to pause or resume a source. Use DELETE /sources/:id to delete it.

Request objects include verified, a boolean that indicates whether FastHook successfully verified source authentication for that inbound request.