Nembl
Developer Guide
Webhooks

Webhooks

Webhooks let external systems trigger workflows in Nembl. Send a POST request with a JSON payload to a generated webhook URL, and a Nembl workflow starts with that payload as input.

For the reverse direction (calling external systems from inside a workflow), use the Webhook Callout automation phase — it handles outbound HTTP from any phase in your workflow with full templating, retries, and response merging.

Inbound Webhooks

Inbound webhooks let external systems trigger Nembl workflows by sending HTTP requests to a unique webhook URL.

Creating an Inbound Webhook

  1. Navigate to Settings > Developer > Webhooks.
  2. Click Create Webhook.
  3. Configure the webhook:
    • Name -- descriptive label (e.g., "GitHub Push Events", "Stripe Payment Webhook").
    • Target workflow -- the workflow to trigger when the webhook is called.
    • Target offering -- optionally map the webhook to a specific service offering, creating a request automatically.
  4. Click Create.
  5. Copy the generated webhook URL:
https://api.nembl.devopspolis.com/v1/webhooks/inbound/whk_abc123xyz

Calling the Webhook

Send a POST request to the webhook URL with a JSON payload:

curl -X POST https://api.nembl.devopspolis.com/v1/webhooks/inbound/whk_abc123xyz \
  -H "Content-Type: application/json" \
  -H "x-webhook-signature: sha256=abc123..." \
  -d '{
    "event": "deployment.completed",
    "environment": "production",
    "version": "v2.1.0",
    "status": "success"
  }'

Payload Format

Nembl accepts any valid JSON payload. The entire payload is passed to the workflow as input data, accessible via workflow variables:

{{ webhook.body.event }}          → "deployment.completed"
{{ webhook.body.environment }}    → "production"
{{ webhook.body.version }}        → "v2.1.0"

Additional metadata is available:

{{ webhook.headers.content-type }}  → "application/json"
{{ webhook.method }}                 → "POST"
{{ webhook.receivedAt }}             → "2026-04-01T10:30:00Z"

Webhook Response

Nembl responds immediately with a 202 Accepted status, indicating the webhook was received and the workflow will be triggered asynchronously:

{
  "status": "accepted",
  "webhookId": "whk_abc123xyz",
  "executionId": "exec_def456"
}

The executionId can be used to track the workflow execution via the API.

Signature Verification

Protect your webhook endpoints from unauthorized calls by enabling signature verification.

How It Works

  1. When creating a webhook, Nembl generates a signing secret.
  2. Copy and store the signing secret securely.
  3. When calling the webhook, compute an HMAC-SHA256 signature of the request body using the signing secret and include it in the x-webhook-signature header.
  4. Nembl verifies the signature before processing the webhook.

Computing the Signature

const crypto = require("crypto");
 
const secret = "whsec_your_signing_secret";
const body = JSON.stringify(payload);
const signature = crypto
  .createHmac("sha256", secret)
  .update(body)
  .digest("hex");
 
// Send as header: x-webhook-signature: sha256=<signature>
import hmac
import hashlib
 
secret = b'whsec_your_signing_secret'
body = json.dumps(payload).encode()
signature = hmac.new(secret, body, hashlib.sha256).hexdigest()
 
# Send as header: x-webhook-signature: sha256=<signature>

Disabling Verification

For development and testing, signature verification can be disabled on individual webhooks. This is not recommended for production use.

Outbound Event Notifications

For pushing data out of a workflow, use a Webhook Callout phase — add it anywhere in your workflow that you want to notify an external system. The phase supports custom body templates (Slack, Discord, PagerDuty shapes), variable interpolation, and three response-handling modes (json, text, ignore).

A subscribe-to-events surface (subscribe an external URL to lifecycle events like request.created / workflow.completed, with retries and signature delivery) is on the roadmap. For now, achieve the same outcome by adding a Webhook Callout phase at the lifecycle point you care about — e.g. add one as the last phase before End to fire on workflow completion.

Webhook Delivery History

View the delivery history for any webhook from Settings > Developer > Webhooks:

  • Delivery timestamp
  • HTTP status code returned
  • Response body (first 1 KB)
  • Retry count
  • Success or failure status

Use the delivery history to debug integration issues and verify that events are being received.

Best Practices

  • Always verify signatures on inbound webhooks. Signature verification prevents unauthorized parties from triggering your workflows.
  • Use a unique URL per integration. Don't share the same inbound webhook URL across multiple sender systems — when something misfires you won't know who sent it.
  • Use HTTPS endpoints. Nembl only accepts inbound webhooks on HTTPS, and only delivers outbound Webhook Callouts to HTTPS targets.
  • For outbound integrations, use Webhook Callout phases rather than waiting for the subscribe-to-events surface — Webhook Callout is fully supported today.
AuthenticationMCP Server