Webhook Guides
Webhook Headers
Webhook headers carry the operational context that payloads often do not: event type, delivery id, signature, timestamp, content type, provider identity, and sometimes a shop, tenant, or subscription identifier.
FastHook stores inbound headers on requests, lets you route by header values, and can add outbound destination auth headers when delivering events to receivers. Header inspection is one of the fastest ways to debug a failed webhook.
Common header families
| Family | Examples | Use |
|---|---|---|
| Event type | X-GitHub-Event, X-Shopify-Topic | Route events without parsing the full payload. |
| Delivery id | X-GitHub-Delivery, X-Shopify-Webhook-Id | Deduplicate and correlate retries. |
| Signature | Stripe-Signature, X-Hub-Signature-256 | Verify the sender against the raw body. |
| Timestamp | X-Slack-Request-Timestamp | Reject stale replay attempts. |
| Content type | application/json, application/x-www-form-urlencoded | Choose parsing behavior safely. |
Route by headers
{
"type": "filter",
"headers": {
"x-github-event": { "$eq": "pull_request" },
"x-github-delivery": { "$exists": true }
}
}Signature headers
Signature headers usually cover the raw request body. If a receiver verifies against parsed JSON or a modified body, the signature will fail even when the secret is correct.
- Store and compare the exact raw body for HMAC-based providers.
- Use timestamp tolerance for providers that include signed timestamps.
- Log signature failure causes without leaking secrets.
- Keep separate secrets for production, staging, and local sources.
Outbound headers
Destination auth is a separate boundary. FastHook can send a custom header, OAuth token, or FastHook destination signature so your receiver can verify that the delivery came through FastHook.
{
"auth_type": "CUSTOM_HEADER",
"auth": {
"header_name": "x-internal-webhook-key",
"header_value": "receiver-secret"
}
}Debug checklist
- Compare provider docs against the captured request headers.
- Confirm header names are treated case-insensitively.
- Check whether proxies or frameworks strip or rewrite headers.
- Use header filters before body filters when the provider exposes a reliable event header.
- Use delivery ids as correlation keys across FastHook, provider logs, and receiver logs.
Header normalization tips
HTTP header names are case-insensitive, but application code and logs often display them differently. Pick one normalized form for filters and examples, then compare values rather than relying on visual casing in screenshots.
Also watch for duplicate headers. Some providers or proxies can send repeated values, and frameworks may join them into one comma-separated string. For signature verification, use the exact header behavior your provider documents.
- Normalize filter header names to lowercase for predictable matching.
- Store provider delivery ids even when the payload has its own event id.
- Do not use User-Agent as an authentication boundary.
- Prefer signed headers or provider tokens for trust decisions.