Skip to main content
Webhooks let Steppd send an HTTP POST request to a URL you control whenever a subscribed event occurs — for example, when a document is published or a new member joins. Use them to trigger automations in tools like Zapier, Make, or your own backend. Every team member can create webhooks from their profile. Admins have additional visibility across the whole organization from Settings.

Creating a webhook

1

Go to Profile → Webhooks tab

Click your name or initials in the bottom of the sidebar to open your profile, then select the Webhooks tab.
2

Open the creation form

Click + New webhook.
3

Fill in the details

Enter a Name to identify this webhook, the destination URL that will receive the POST requests, and check at least one Event to subscribe to. You can subscribe to any combination of the available events.
4

Create the webhook

Click Create webhook. Steppd creates the webhook and immediately shows a Save your webhook secret dialog.
5

Save the webhook secret

Copy the secret displayed in the dialog and store it somewhere secure — a password manager or environment variable in your backend.
The webhook secret is only shown once, at the moment of creation. You cannot retrieve it again after closing this dialog. Use it to verify the X-Steppd-Signature header on incoming requests.

Testing a webhook

Click Test next to any webhook in your list. Steppd dispatches a test payload to the configured URL and displays the result inline — a green ✓ 200 if the request succeeded, or a red if the delivery failed. Use this to confirm your endpoint is reachable and processing requests before relying on it in production.

Editing a webhook

Click Edit next to a webhook you created. Update the Name, URL, or Events as needed, then click Save.

Deleting a webhook

Click Delete next to a webhook you created. The webhook is removed immediately and no further events are sent to that URL.

Admin management

Admins can view, edit, and delete any webhook in the organization — not just their own — from Settings → Webhooks tab.
Members can only edit or delete webhooks they personally created. Webhooks created by other members are visible in your list (for transparency), but the Edit and Delete buttons only appear on your own entries.

Verifying webhook signatures

Every request Steppd sends includes an X-Steppd-Signature header containing an HMAC-SHA256 signature of the raw request body, computed using your webhook secret. Verify this signature in your endpoint to confirm the request genuinely came from Steppd and was not tampered with. 
const crypto = require('crypto');

function verifySignature(secret, payload, signature) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signature)
  );
}
Pass the raw request body bytes (before any JSON parsing), your stored webhook secret, and the value of the X-Steppd-Signature header to the function. If the comparison returns false, reject the request.