Make webhooks guide: Practical webhooks on Make.com

This make webhooks guide gives a direct, technical introduction: you will learn how to receive, parse, test, and secure incoming webhooks using Make.com’s Webhooks module with runnable examples and troubleshooting tips. Start by creating a webhook module in Make.com, then point your sender to the generated URL and verify payloads in your scenario.

Make webhooks guide — Concepts and flow

At a high level a webhook workflow includes: a source that sends an HTTP request, Make.com’s webhook endpoint that receives the request, and downstream modules that parse and act on the payload. Webhooks are event-driven and typically use POST with a JSON body, but Make.com accepts other content types depending on your flow. Key concepts: payload, headers, signature (if used), and retries.

Create and test a webhook on Make.com

Steps to create a basic incoming webhook in Make.com:

In Make.com create a new scenario and add the Webhooks module (Incoming webhook).
Save the module and copy the generated webhook URL provided by Make.com.
Send a test POST from your service or use curl to verify receipt.

Example curl command to send a JSON payload to the webhook URL (replace YOUR_WEBHOOK_URL):

curl -X POST "YOUR_WEBHOOK_URL" \
  -H "Content-Type: application/json" \
  -d '{"event":"order.created","order_id":12345}'

Node.js (fetch) example to post the same payload:

import fetch from 'node-fetch'

await fetch('YOUR_WEBHOOK_URL', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ event: 'order.created', order_id: 12345 })
})

After sending a test request, confirm the data appears in the webhook module’s output and map fields into subsequent modules for processing.

Parsing, retries, and common pitfalls

Make.com’s scenario engine will surface the raw request; use JSON parsing and mapping to extract values. Common issues include content-type mismatches, payload encoding problems, and long-running downstream modules causing apparent timeouts. For robust behavior:

Ensure the sender sets the correct Content-Type header.
Validate JSON before mapping to avoid parse errors.
Design scenarios to acknowledge receipt quickly and handle heavy processing asynchronously.

Security

Securing webhooks is essential. Make.com supports receiving standard HTTP requests; to protect endpoints consider:

Using a shared secret and HMAC: have the sender include an HMAC signature header computed over the raw body. Verify it in a webhook receiver module or a custom function. Example HMAC verification (Node.js):

// Node.js HMAC-SHA256 verification example
import crypto from 'crypto'

function verifySignature(rawBody, secret, signatureHeader) {
  const hmac = crypto.createHmac('sha256', secret)
  hmac.update(rawBody, 'utf8')
  const expected = 'sha256=' + hmac.digest('hex')
  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signatureHeader))
}

Enforce TLS (HTTPS) — Make.com’s webhook URLs are HTTPS; ensure your sender uses TLS.
Implement replay protection — include a timestamp in the payload and reject old requests.
Rate limit and IP allowlists where applicable — use sender-side throttling or middleware before the webhook endpoint if you expect bursts.

Update

When you change a webhook schema or rotate secrets, follow a safe update pattern: add versioning to the webhook path or payload, deploy the new handler in parallel, and run both versions for a transition period. If you must rotate the secret used for signature verification, support both the old and new secrets for a short overlap window to avoid dropped events.

Performance considerations and resource tiers

Make.com plans and resource tiers affect execution concurrency, scenario run limits, and webhook throughput. For low-volume development a basic tier may suffice; for high-frequency or latency-sensitive webhooks consider higher tiers or a design that offloads heavy processing to background queues. Monitor execution quotas and error rates so you can scale plan tiers or redesign flows before hitting limits.

Troubleshooting and monitoring

Checklist when a webhook doesn’t appear in Make.com:

Confirm the webhook URL is correct and publicly reachable.
Inspect sender logs for HTTP status codes; Make.com will respond with 2xx for accepted requests.
Use the Make.com scenario run history to view incoming payloads and module errors.
Test with a minimal payload via curl to eliminate sender-side transformation issues.

Examples: verifying and processing payloads

Simple pattern inside a scenario: receive webhook → parse JSON → validate required fields → enqueue background task or call downstream API. If you need custom validation or transformation, use a code module or external microservice to process and then hand results back to Make.com.

For conceptual background on how automation works and where webhooks fit, see our Make.com how it works guide. For concrete integration ideas, review common use cases. If you want an overview of the provider, read our Make.com review.

Closing recommendation

Start small: create a single webhook scenario, send controlled test events, add HMAC verification, and monitor runs. When you need higher throughput or lower latency, evaluate Make.com plan tiers and move heavier processing into asynchronous workers. If you’re ready to expand after testing, Build advanced automations by combining webhooks with queues, retries, and robust error handling to create production-grade flows.

Written by Nadia

Nadia writes exclusively about Make.com and advanced workflow automation. She explores real-world scenarios, API integrations, error handling, performance optimization, and scalable automation design, translating complex setups into practical step-by-step guides. As part of the AutomationCompare team, Nadia focuses entirely on helping readers master Make.com and build reliable automation systems.