Open Navigation

Webhook Trigger


The WebHook trigger allows you to catch callouts for any service that offers sending a signal to a custom URL. For this example, we will show you how to set up a WebHook for Promoter.

Webhook size limit

The size limit for a basic webhook payload is 1MB. File content can be sent as multi-part http requests, with an overall limit of 10MB.

Locate your Workflow's Public URL

The public URL is where all WebHook calls will be sent. This is what allows Tray to receive data from your service of choice.

  1. Create a new workflow with a WebHook trigger.

  2. Select the Operation: When WebHook is Received

  3. Click on the Settings Wheel in the top-left.

  4. Select General Settings.

  5. Copy your Workflow Public URL to the clipboard:

Configure the WebHook in your Service

Navigate to your service of choice and direct it to send all callouts to your Workflow Public URL.

  1. Log in to your service of choice.
  2. Select Account (varies by service).
  3. Select WebHooks.
  4. Select the desired operation for your WebHook.
  5. Add the Tray Workflow Public URL as the target.


Test your WebHook

Let's send some data to your WebHook to ensure it was configured correctly.

  1. Click Enable at the bottom-right to enable your workflow. Now, Tray is actively listening for calls from any WebHook whose target is your Workflow Public URL.
  2. Navigate to your service and run a test (varies by service).


  1. If your service does not have a test option, you will have to trigger an event type that matches what your WebHook is listening for. In this example, the Promoter WebHook is listening for feedback in the campaign.
  2. In Tray, click Debug. This is where you can see all data that is entering, exiting, and being manipulated within your workflow.
  3. If your configuration is correct, you will see a singular entry in the Workflow Logs containing the data from your test.


Extracting data from your webhook

Now this data can be used anywhere else in your flow.

For example, to test this you could use a 'Send Email' connector to extract some of the above data fields:


From the example data above this would result in an email being sent which would say "Hello is a detractor with a score of 6 on the NPS Surveys campaign".

For your live Workflows, you could use this method to send data to Salesforce, Slack, etc. - whatever your needs might be!

Triggering an event reply

It is possible to send a reply to the service which sent the webhook data to your workflow, by using the When webhook is received let workflow reply operation.

For example, after taking several steps to process the data received, you may wish to respond with a 200 status and a "Successfully Recorded" message in the body.

Or, after making an unsuccessful boolean check for a user or valid url, you may wish to respond with a 404 'not found' message.

Please see our Trigger Event Reply documentation for details.

Securing your webhook

It is recommended that you secure your webhook to make sure that you only receive requests from trusted sources.

Using a CSRF token

The primary method for doing this is with a CSRF Token. This can be done by clicking on 'Show Advanced Settings' and entering a value in the CSRF Token field:


This should be a long hard to guess string that must be included as an x-csrf-token header in any calls made to the webhook.

You can test this by using an API development environment such as Postman, by making a POST request to your workflow url and adding the same CSRF token as a header:


A successful call to the webhook will be shown in the logs under the debug tab of your workflow:


Any calls which do not contain the x-csrf-token header, or contain an incorrect value, will receive an Invalid value for header: X-Csrf-Token response.

Manually adding a token when CSRF isn't available

If CSRF is not available in your source system, you can manually add a token query to the workflow URL for all posted messages.

For example, if your worflow url is you could suffix a token with

In your workflow you can then make a boolean check for this token:


Looking at the debug for the webhook trigger will show the token coming through and confirm correct usage of the $.steps.trigger.query.token jsonpath:


Was this article helpful?