Overview
The HTTP Webhook trigger gives any Taskade automation a unique inbound URL. Any system that can POST JSON can start the automation. Pair it with branching, looping, and AI actions to build any pipeline you need.
TL;DR: Add the Webhook Received trigger to any automation, copy the unique URL, and POST JSON from any external system to fire your workflow. Available on Pro, Business, Max, and Enterprise. Pair with Branch, Loop, Utility Actions, and Structured Output to handle real-world payloads end to end.
How the trigger fits the loop
A webhook is the canonical Execution input: an external system tells Taskade something happened, and your automation runs the rest of the loop.
Webhook trigger vs. Webhook action
These two sound the same but flow in opposite directions. Pick the one that matches the data direction you need.
| Type | Direction | What it does |
|---|---|---|
| HTTP Webhook trigger (this article) | Inbound | Receives a POST from an external system and starts an automation |
| Webhook action | Outbound | Sends a POST from a running automation to an external system |
If your goal is "when something happens in Stripe, run my Taskade automation," you want the trigger. If your goal is "when my Taskade automation finishes, notify Slack via a custom URL," you want the action.
Set up the trigger
Create the trigger first, then wire your external system to the URL it gives you.
- Open the automation you want to start from a webhook.
- Click Add Trigger.
- Pick Webhook Received from the HTTP trigger list.
- Copy the unique Webhook URL shown in the trigger panel.
- Click Save.
Keep that URL handy. You will paste it into the external service that needs to fire the automation.
Reference fields from the payload
The trigger parses incoming JSON automatically when the request includes Content-Type: application/json. The full payload is exposed to every downstream action through five variables you can reference with the @ picker or {{ }} syntax.
| Variable | What it holds | Example |
|---|---|---|
body |
Parsed JSON object | {{trigger.body.customer_email}} |
bodyText |
Raw payload as a string | {{trigger.bodyText}} |
headers |
Request headers | {{trigger.headers["x-api-key"]}} |
method |
HTTP verb (always POST here) |
{{trigger.method}} |
queryParams |
URL query string keys | {{trigger.queryParams.source}} |
To pull a single nested value out of body, pair the trigger with JSON Extract and a JSONPath query like $.user.email. To work with the raw text (for example, to verify a signature header), reach for bodyText.
Test the trigger
Send a real request from your terminal to confirm the trigger fires and your fields parse correctly.
curl -X POST "YOUR_WEBHOOK_URL" \
-H "Content-Type: application/json" \
-d '{
"customer_email": "[email protected]",
"order_id": "ORD-1042",
"amount": 49.00
}'
A successful request returns HTTP 202 Accepted. The automation runs in the background and you can watch progress in the Runs tab.
| Response | What it means | What to do |
|---|---|---|
| 202 Accepted | Payload accepted, automation queued | Open Runs to watch the steps complete |
| 400 Bad Request | JSON malformed or field types do not match | Validate the payload at jsonlint.com |
| 404 Not Found | Wrong URL, or automation is paused | Re-copy the URL and toggle the automation on |
Reliability and retries
Taskade stores every delivery before processing it, so a brief downstream hiccup never loses an event.
- Every inbound POST is persisted before any action runs.
- Actions that error are retried automatically with backoff.
- You can replay any past delivery from the Runs tab in one click.
- Long-running actions do not block the next webhook from being accepted.
This is the same reliable retry behavior used by every action in the automation.
Plan availability
The HTTP Webhook trigger is available on Pro and above because it accepts unbounded inbound traffic from any external service.
| Plan | HTTP Webhook trigger |
|---|---|
| Free, Starter | Use built-in triggers like Forms, Schedule, and task events |
| Pro, Business, Max, Enterprise | Full HTTP Webhook trigger access |
See the pricing page for the latest plan matrix.
Authenticate inbound requests
The URL itself acts as a shared secret, but two stronger options live on every webhook trigger. Use them when the sending system is one you don't fully control, or when the URL might leak.
Per-flow webhook secret
Each webhook trigger can carry an optional Webhook Secret — alphanumeric, dashes, and underscores only. When set, Taskade requires every inbound request to present the secret. Anything without it gets rejected before any action runs.
| Field | Description |
|---|---|
| Webhook Secret | Alphanumeric string (A–Z, a–z, 0–9, _, -). Set it on the trigger; paste the same value into the sending system. Each flow has its own secret — rotate one without touching the others. |
curl -X POST "YOUR_WEBHOOK_URL" \
-H "Authorization: Bearer YOUR_WEBHOOK_SECRET" \
-H "Content-Type: application/json" \
-d '{ "order_id": "ORD-1042" }'
Bearer-token authentication
The webhook trigger accepts standard Bearer token auth via the Authorization header. Most external systems (Stripe-style platforms, Postman, custom backends) already speak this — just paste your webhook secret as the token.
| Auth method | What to send | When to use it |
|---|---|---|
| Bearer token | Authorization: Bearer <secret> |
Default for most APIs. Strongest option that works everywhere. |
| Custom header | Any header you choose, then check it inside a Branch step | When the sender can't change Authorization (legacy webhooks, vendor lock-in) |
| Signed payload | Source-specific signatures (Stripe Stripe-Signature, GitHub HMAC) |
When the source supports cryptographic signing — strongest for replay protection |
💡 Tip: If a request fails auth, Taskade returns
401 Unauthorizedand the flow does not run. The Runs tab still logs the attempt so you can audit failed deliveries.
Security tips
Treat the webhook URL like a password. Anyone holding it can fire your automation.
- Keep the URL out of public repos, screenshots, and shared docs.
- Use the per-flow webhook secret + Bearer token above whenever the sender supports it.
- Rotate the secret (and/or the URL) right away if you suspect a leak. Save the new value into the sending tool.
- Prefer signed payloads from the source when the source supports them, for example Stripe signatures or GitHub HMAC headers.
Frequently Asked Questions
What does the HTTP Webhook trigger do?
It gives any Taskade automation a unique inbound URL that an outside system can POST to. When any service sends JSON to that URL, your automation runs. This is the easiest way to start a workflow from another tool, like a payment platform or a custom backend.
Where do I find my webhook URL?
Open the automation, click Add Trigger, and pick Webhook Received from the HTTP trigger list. Taskade shows your unique Webhook URL right in the trigger panel. Copy it, click Save, and paste it into the external service you want to fire the automation.
What data does the automation receive from a webhook?
When the request includes a JSON content type, Taskade parses it automatically and exposes five pieces of the request to every later step: the parsed body, the raw body text, the headers, the HTTP method, and the URL query parameters. You can reference any of them with the @ picker or {{ }} syntax. This lets you route names, emails, order IDs, and anything else straight into your actions.
How do I keep my webhook URL safe?
Treat the URL like a password, since anyone holding it can fire your automation. Keep it out of public repos, screenshots, and shared docs. For extra protection, add the per-flow Webhook Secret and Bearer token, and rotate the secret right away if you ever suspect a leak.
How do I test the webhook trigger?
Send a real POST request from your terminal with a small JSON body, like the curl example above. A successful request returns HTTP 202 Accepted, which means your payload was accepted and the automation is queued. Open the Runs tab to watch the steps run and confirm your fields parsed correctly.
What happens if a delivery fails or my automation has a hiccup?
Taskade stores every inbound POST before any action runs, so a brief downstream issue never loses an event. Actions that error are retried automatically with backoff, and you can replay any past delivery from the Runs tab in one click. Long-running actions also do not block the next webhook from being accepted.
Which plan includes the HTTP Webhook trigger?
The HTTP Webhook trigger is available on the Pro, Business, Max, and Enterprise plans. On Free and Starter you can still use built-in triggers like Forms, Schedule, and task events. See the pricing page for the latest plan matrix.
Related guides
- Webhooks (Action). Outbound counterpart that sends events from Taskade.
- Branch Action. Route incoming payloads to different paths.
- Loop Action. Iterate over arrays inside a webhook payload.
- Structured Output. Turn raw payloads into typed variables.
- HTTP Request Action. Call external APIs from inside the automation.