# Sources A source is a representation of a service that sends HTTP requests to the Hookdeck Event Gateway. For example, a third-party service sending webhooks, such as Shopify and Stripe, or an internal service making an HTTP request to distribute an event to other services, external or internal. ## How sources work Each source is given a unique Hookdeck URL that can be pasted into the HTTP or webhook URL field of the sender platform, or used within code when making the HTTP request. Once HTTP requests are received by Hookdeck via the source URL, events are ingested and routed according to your [connection rules](/docs/connections#connection-rules). Hookdeck is a platform for asynchronous messaging and therefore returns a basic [customizable](#custom-responses) synchronous HTTP response to the client that has invoked the source URL. It is not possible to synchronously return a response from a [destination](/docs/destinations) to the client (for example, the result of an API call). However, you can use an asynchonous workflow to achieve this and send the result of any work done by a destination via a webhook callback. See the [Hookdeck destination response FAQ](/docs/hookdeck-basics#can-hookdeck-return-the-response-from-a-destination-to-the-source) for more information. > You can customize the source URL to use your own custom domain name. See [Custom Domain](/docs/platform/event-gateway-projects#custom-domain) for more information. ## Source Types Source Types help you quickly configure sources for specific platforms and services. When you select a Source Type, Hookdeck automatically sets up the appropriate configuration including authentication methods, required headers, and response formats commonly used by that platform. For example, selecting the "Stripe" Source Type will automatically configure the source to handle Stripe's webhook signature verification and respond with the expected 200 status code. > With generic types such as "Webhook" and "HTTP" you can still customize the configuration to match your specific need regardless of the provider is directly supported by Hookdeck. Source Types include popular platforms like: * [ADYEN](https://docs.adyen.com/development-resources/webhooks/verify-hmac-signatures/) * [AIPRISE](https://docs.aiprise.com/docs/callbacks-authentication) * [AIRTABLE](https://airtable.com/developers/web/api/webhooks-overview#webhook-notification-delivery) * AIRWALLEX * AKENEO * [ALCHEMY](https://www.alchemy.com/docs/reference/notify-api-quickstart#webhook-signature--security) * [ALIPAY](https://docs.alipayplus.com/alipayplus/alipayplus/api_acq_tile/signature) * [ASANA](https://developers.asana.com/docs/webhooks-guide#security) * [ASCEND](https://developers.useascend.com/docs/webhooks) * [ASHBY](https://developers.ashbyhq.com/docs/authenticating-webhooks) * AWS_SNS * BIGCOMMERCE * [BONDSMITH](https://docs.bond.tech/docs/signatures) * [BRIDGE_API](https://docs.bridgeapi.io/docs/secure-your-webhooks) * [BRIDGE_XYZ](https://apidocs.bridge.xyz/docs/webhook-event-signature-verification) * CHAINDOTS * [CHARGEBEE_BILLING](https://www.chargebee.com/docs/billing/2.0/site-configuration/webhook_settings#basic-authentication) * [CIRCLE](https://developers.circle.com/cpn/guides/webhooks/verify-webhook-signatures) * [CLAUDE](https://platform.claude.com/docs/en/managed-agents/webhooks) * [CLIO](https://docs.developers.clio.com/api-reference/#tag/Webhooks/Webhook-Security) * CLOUDSIGNAL * [COINBASE](https://docs.cdp.coinbase.com/data/webhooks/verify-signatures) * [COMMERCELAYER](https://docs.commercelayer.io/core/callbacks-security) * COURIER * [CURSOR](https://cursor.com/docs/cloud-agent/api/webhooks) * [CUSTOMERIO](https://docs.customer.io/journeys/webhooks/#securely-verify-requests) * DISCORD * [DOCUSIGN](https://developers.docusign.com/platform/webhooks/connect/validate/) * [EBAY](https://developer.ebay.com/api-docs/commerce/notification/resources/destination/methods/createDestination) * [ENODE](https://developers.enode.com/docs/webhooks) * ETHOCA * [EXACT_ONLINE](https://support.exactonline.com/community/s/knowledge-base#All-All-DNO-Content-webhooksc) * FACEBOOK * [FASTSPRING](https://developer.fastspring.com/reference/message-security) * [FAUNDIT](https://faundit.gitbook.io/faundit-api-v2/webhooks) * [FAVRO](https://favro.com/developer/#webhook-signatures) * [FIREBLOCKS](https://developers.fireblocks.com/reference/validating-webhooks) * [FIREFLIES](https://docs.fireflies.ai/graphql-api/webhooks#webhook-authentication) * FISERV * [FLEXPORT](https://apidocs.flexport.com/v2/tag/Webhook-Endpoints/) * [FRONTAPP](https://dev.frontapp.com/docs/webhooks-1#verifying-integrity) * [FUSIONAUTH](https://fusionauth.io/docs/extend/events-and-webhooks/signing) * [GEMINI](https://ai.google.dev/gemini-api/docs/webhooks#handle-webhook-requests) * [GITHUB](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries) * GITLAB * [GOCARDLESS](https://developer.gocardless.com/getting-started/staying-up-to-date-with-webhooks#staying_up-to-date_with_webhooks) * [GREENDOT](https://developer.greendot.com/embedded-finance/docs/webhooks-overview) * HOOKDECK_OUTPOST * HTTP * [HUBSPOT](https://developers.hubspot.com/docs/api/webhooks/validating-requests) * [INTERCOM](https://developers.intercom.com/docs/references/webhooks/webhook-models#signed-notifications) * [LINEAR](https://developers.linear.app/docs/graphql/webhooks#securing-webhooks) * LINKEDIN * [LITHIC](https://docs.lithic.com/docs/events-api#verifying-webhooks) * MAILCHIMP * [MAILGUN](https://documentation.mailgun.com/docs/mailgun/user-manual/tracking-messages/#webhooks) * MANAGED * [MERAKI](https://developer.cisco.com/meraki/webhooks/introduction/#shared-secret) * [MICROSOFT_GRAPH](https://learn.microsoft.com/en-us/graph/webhooks) * [MICROSOFT_SHAREPOINT](https://learn.microsoft.com/en-us/sharepoint/dev/apis/webhooks/overview-sharepoint-webhooks) * [MONDAY](https://support.monday.com/hc/en-us/articles/360003540679-Webhook-integration) * [NEON](https://neon.com/docs/auth/guides/webhooks#signature-verification) * [NMI](https://secure.networkmerchants.com/gw/merchants/resources/integration/integration_portal.php#webhooks_setup) * [NUVEMSHOP](https://tiendanube.github.io/api-documentation/resources/webhook) * [NYLAS](https://developer.nylas.com/docs/v3/getting-started/webhooks/) * OKTA * OPENAI * [ORB](https://docs.withorb.com/guides/integrations-and-exports/webhooks#webhooks-verification) * [OURA](https://cloud.ouraring.com/v2/docs#section/Security) * [PADDLE](https://developer.paddle.com/webhooks/signature-verification) * [PAYMOB](https://developers.paymob.com/paymob-docs/developers/webhook-callbacks-and-hmac/hmac/hmac-transaction-callback) * [PAYPAL](https://developer.paypal.com/api/rest/webhooks/rest/) * [PAYPRO_GLOBAL](https://developers.payproglobal.com/docs/integrate-with-paypro-global/webhook-ipn/) * [PAYSTACK](https://paystack.com/docs/payments/webhooks/#verify-event-origin) * [PERSONA](https://docs.withpersona.com/docs/webhooks-best-practices#checking-signatures) * [PICQER](https://picqer.com/en/api/webhooks#validating-webhooks) * PIPEDRIVE * POLAR * PORTAL * POSTMARK * [PRAXIS](https://doc.praxiscashier.com/integration_docs/latest/webhooks/validation) * PROPERTY-FINDER * PUBLISH_API * [PYLON](https://getpylon.com/developers/guides/using-webhooks/#event-signatures) * [QUOTER](https://help.quoter.com/hc/en-us/articles/32085971955355-Integrate-with-Webhooks#h_73bb393dfd) * [RAZORPAY](https://razorpay.com/docs/webhooks/validate-test/#validate-webhooks) * [RECHARGE](https://docs.getrecharge.com/docs/webhooks-overview#validating-webhooks) * [RECURLY](https://docs.recurly.com/recurly-subscriptions/docs/signature-verification) * REPAY * [REPLICATE](https://replicate.com/docs/topics/webhooks/verify-webhook) * RESEND * [REVOLUT](https://developer.revolut.com/docs/guides/accept-payments/tutorials/work-with-webhooks/verify-the-payload-signature) * [RING_CENTRAL](https://developer.ringcentral.com/api-docs/latest/index.html#webhooks) * [SANITY](https://www.sanity.io/docs/webhooks) * [SCRAPFLY](https://scrapfly.io/docs/scrape-api/webhook) * SENDGRID * [SHIPBOB](https://developer.shipbob.com/2026-01/webhooks#verifying-signatures) * [SHIPHERO](https://developer.shiphero.com/webhooks/#webhook_verification) * [SHOPIFY](https://shopify.dev/docs/apps/build/webhooks/subscribe/https#step-2-validate-the-origin-of-your-webhook-to-ensure-its-coming-from-shopify) * [SHOPLINE](https://developer.shopline.com/docsv2/ec20/3cv5d7wpfgr6a8z5/wf8em731s7f8c3ut?version=v20240301#signature-verification) * [SLACK](https://api.slack.com/authentication/verifying-requests-from-slack#validating-a-request) * [SMARTCAR](https://smartcar.com/docs/integrations/webhooks/payload-verification) * [SMILE](https://docs.getsmileapi.com/reference/webhooks#validating-payloads) * [SOLIDGATE](https://docs.solidgate.com/payments/integrate/webhooks/#security) * [SQUARE](https://developer.squareup.com/docs/webhooks/step3validate) * STRAVA * [STRIPE](https://docs.stripe.com/webhooks?verify=verify-manually) * SVIX * [SYNCTERA](https://dev.synctera.com/docs/webhooks-guide#integration-steps) * [TALLY](https://tally.so/help/webhooks) * [TEBEX](https://docs.tebex.io/developers/webhooks/overview#verifying-webhook-authenticity) * TELNYX * THREE_D_EYE * [TIKTOK](https://developers.tiktok.com/doc/webhooks-verification) * TIKTOK_SHOP * [TOKENIO](https://developer.token.io/token_rest_api_doc/content/e-rest/webhooks.htm?Highlight=webhook#Signature) * [TREEZOR](https://docs.treezor.com/guide/webhooks/integrity-checks.html) * [TRELLO](https://developer.atlassian.com/cloud/trello/guides/rest-api/webhooks/#webhook-signatures) * [TWILIO](https://www.twilio.com/docs/usage/webhooks/webhooks-security#validating-signatures-from-twilio) * [TWITCH](https://dev.twitch.tv/docs/eventsub/handling-webhook-events/#verifying-the-event-message) * [TWITTER](https://developer.x.com/en/docs/x-api/enterprise/account-activity-api/guides/securing-webhooks) * [TYPEFORM](https://www.typeform.com/developers/webhooks/secure-your-webhooks/) * [UBER](https://developer.uber.com/docs/eats/guides/webhooks#webhook-security) * [UPOLLO](https://app.upollo.ai/docs/reference/webhooks#sign-up-for-upollo) * [USPS](https://developers.usps.com/subscriptions-adjustmentsv3#tag/Listener-URL-Specification/operation/post-notification) * [UTILA](https://docs.utila.io/reference/webhooks) * [VERCEL](https://vercel.com/docs/observability/webhooks-overview/webhooks-api#securing-webhooks) * [VERCEL_LOG_DRAINS](https://vercel.com/docs/rest-api#securing-your-log-drains) * [WALMART](https://developer.walmart.com/us-marketplace/docs/security-and-authenticity) * WEBHOOK * [WECHAT](https://pay.weixin.qq.com/doc/global/v3/en/4012357149) * WHATSAPP * [WIX](https://dev.wix.com/docs/build-apps/build-your-app/authentication/verify-wix-requests) * WOOCOMMERCE * [WORKOS](https://workos.com/docs/events/data-syncing/webhooks/3-process-the-events/b-validate-the-requests-manually) * [XERO](https://developer.xero.com/documentation/guides/webhooks/configuring-your-server/) * [ZENDESK](https://developer.zendesk.com/documentation/webhooks/verifying/) * [ZEROHASH](https://docs.zerohash.com/reference/webhook-security) * [ZIFT](https://api.zift.io/#webhooks) * [ZOOM](https://developers.zoom.us/docs/api/webhooks/#verify-webhook-events) ## Content-types Hookdeck aims to be compatible with every API provider and with common HTTP event payloads. To accomplish this, we remain platform-agnostic and ingest requests (up to 10 MiB) with one of the following content-types: If you encounter a problem integrating a specific API provider, [send us a message](/contact). ## Create a source Creating a source allows Hookdeck to begin receiving and routing events sent from a specific origin. ### Dashboard 1. Follow the instructions for [creating a connection](/docs/connections#create-a-connection) 2. When configuring the source, select the appropriate Source Type from the dropdown 3. Configure any additional settings specific to your chosen Source Type ### API `POST /2025-07-01/sources` **Request body example** ```json { "name": "something-else" } ``` **Response example** ```json { "code": "RESOURCE_ALREADY_EXISTS", "status": 409, "message": "Resource already exists", "data": { "id": "src_v5lfi6g0iqsm38", "resource_type": "source" } } ``` ```bash curl -X POST "https://api.hookdeck.com/2025-07-01/sources" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "name": "stripe-prod", "type": "STRIPE", "verification": { "type": "STRIPE", "configs": { "webhook_secret_key": "whsec_..." } } }' ``` ## Custom methods `POST`, `PUT`, `PATCH`, and `DELETE` requests are accepted by default. `GET` requests are not accepted by default, but you can enable them in the Source Configuration > Advanced Source Configuration section when creating or updating your sources. ![HTTP Methods in the advanced configuration section in Source form](./images/source-custom-methods.png) You can also enable them explicitly by using a `x-hookdeck-allow-methods` query string parameter in your Hookdeck source URL. ``` ?x-hookdeck-allow-methods=get ``` ## Custom responses Some API vendors modify their behavior based on the response they receive from a request. For these providers, Hookdeck supports setting custom responses to satisfy their requirements. ![Customize Response in Source form](./images/source-customize-response.png) You can also use query string parameter `x-hookdeck-response` to explicitly customize the response. Append one of the following query parameters to the Hookdeck-provided source URL to achieve the desired response. | Response | Query parameter example | Behavior | | --- | --- | --- | | Empty | `?x-hookdeck-response=null` or `?x-hookdeck-response` | Hookdeck responds with an empty body | | Text | `?x-hookdeck-response[text]=Hello+World` | Hookdeck responds with the text `Hello World` | | JSON | `?x-hookdeck-response[json]=%7B%22message%22%3A%22Hello%20World%22%7D` | Hookdeck responds with the specified JSON | | XML | `?x-hookdeck-response[xml]=` | Hookdeck responds with the specified XML | ## Add source authentication {#add-source-authentication} Requests can optionally be authenticated. While Source Types come with recommended authentication settings, you can customize these as needed. Hookdeck supports generic authentication options, HMAC, Basic Auth, and API Keys, which cover the majority of authentication providers. > If you've selected a specific Source Type, the authentication method will be pre-configured according to that platform's requirements. You'll only need to provide the necessary credentials. Configure how incoming requests from a source are authenticated. ### Dashboard 1. Open the [Connections](https://dashboard.hookdeck.com/connections) page. 2. Click the source you want to authenticate. 3. Click Open Source. 4. Under Advanced Source Configuration, toggle the Source Authentication switch and select the appropriate authentication method from the dropdown. 5. Enter the information required by the authentication method. 6. Click Save. ### API `PUT /2025-07-01/sources/:id` **Request body example** ```json { "name": "shopify" } ``` **Response example** ```json { "id": "src_qa5626p6y5o79b", "team_id": "tm_lbhzBKgFOUnB", "updated_at": "2026-01-14T13:36:41.934Z", "created_at": "2026-01-14T13:35:55.226Z", "name": "shopify", "description": null, "type": "WEBHOOK", "config": { "allowed_http_methods": [ "POST", "PUT", "PATCH", "DELETE" ], "custom_response": null, "auth": null, "auth_type": null }, "disabled_at": null, "url": "http://localhost:8787/qa5626p6y5o79b", "authenticated": false } ``` ```bash curl -X PUT "https://api.hookdeck.com/2025-07-01/sources/src_123456789" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "verification": { "type": "HMAC", "configs": { "algorithm": "SHA256", "encoding": "base64", "header_key": "x-webhook-signature", "webhook_secret_key": "your_webhook_secret" } } }' ``` > All secrets are AES encrypted. In the [connection's](https://dashboard.hookdeck.com/connections) page, your source will now have a shield icon next to it. ## Edit source authentication Edit a source to update the authentication method or change the credentials. ### Dashboard 1. Open the [Connections](https://dashboard.hookdeck.com/connections) page. 2. Click the source you want to edit the authentication method for. 3. Click Open Source. 4. Scroll to Source Authentication under Advanced Source Configuration, and change the authentication method and related credentials. 5. Click Save. ### API `PUT /2025-07-01/sources/:id` **Request body example** ```json { "name": "shopify" } ``` **Response example** ```json { "id": "src_qa5626p6y5o79b", "team_id": "tm_lbhzBKgFOUnB", "updated_at": "2026-01-14T13:36:41.934Z", "created_at": "2026-01-14T13:35:55.226Z", "name": "shopify", "description": null, "type": "WEBHOOK", "config": { "allowed_http_methods": [ "POST", "PUT", "PATCH", "DELETE" ], "custom_response": null, "auth": null, "auth_type": null }, "disabled_at": null, "url": "http://localhost:8787/qa5626p6y5o79b", "authenticated": false } ``` ## Remove source authentication Removing authentication from a source will stop the authentication and verification of any incoming requests and all requests will be accepted. ### Dashboard 1. Open the [Connections](https://dashboard.hookdeck.com/connections) page. 2. Click the source you want to remove authentication from. 3. Click Open Source. 4. Under Advanced Source Configuration, toggle off the Source Authentication switch. 5. Click Save. ### API `PUT /2025-07-01/sources/:id` **Request body example** ```json { "name": "shopify" } ``` **Response example** ```json { "id": "src_qa5626p6y5o79b", "team_id": "tm_lbhzBKgFOUnB", "updated_at": "2026-01-14T13:36:41.934Z", "created_at": "2026-01-14T13:35:55.226Z", "name": "shopify", "description": null, "type": "WEBHOOK", "config": { "allowed_http_methods": [ "POST", "PUT", "PATCH", "DELETE" ], "custom_response": null, "auth": null, "auth_type": null }, "disabled_at": null, "url": "http://localhost:8787/qa5626p6y5o79b", "authenticated": false } ``` ## Edit a source Editing a source lets you change the name of a source in your project. ### Dashboard 1. Open the [Connections](https://dashboard.hookdeck.com/connections) page. 2. Click the source you want to edit. 3. You can edit the source from inside the popup or click Open Source to edit in full page. 4. Click Save. ### API `PUT /2025-07-01/sources/:id` **Request body example** ```json { "name": "shopify" } ``` **Response example** ```json { "id": "src_qa5626p6y5o79b", "team_id": "tm_lbhzBKgFOUnB", "updated_at": "2026-01-14T13:36:41.934Z", "created_at": "2026-01-14T13:35:55.226Z", "name": "shopify", "description": null, "type": "WEBHOOK", "config": { "allowed_http_methods": [ "POST", "PUT", "PATCH", "DELETE" ], "custom_response": null, "auth": null, "auth_type": null }, "disabled_at": null, "url": "http://localhost:8787/qa5626p6y5o79b", "authenticated": false } ``` Once a source has been renamed, its name is updated throughout the project and within any associated connection(s). ## Disable a source Disabling a source temporarily halts inbound requests at the associated Hookdeck URL. An HTTP 200 status code will still be returned for any request received on your Source URL. > This process also disables all the connections that are associated to that source. ### Dashboard 1. Open the [Connections](https://dashboard.hookdeck.com/connections) page. 2. Click the source you wish to disable. 3. Click ••• button in the bottom right corner of the popup. 4. Click Disable Source. ### API `PUT /2025-07-01/sources/:id/disable` **Response example** ```json { "id": "src_qa5626p6y5o79b", "team_id": "tm_lbhzBKgFOUnB", "updated_at": "2026-01-14T13:36:41.948Z", "created_at": "2026-01-14T13:35:55.226Z", "name": "shopify", "description": null, "type": "WEBHOOK", "config": { "allowed_http_methods": [ "POST", "PUT", "PATCH", "DELETE" ], "custom_response": null }, "disabled_at": "2026-01-14T13:36:41.947Z", "url": "http://localhost:8787/qa5626p6y5o79b", "authenticated": false } ``` ```bash curl -X PUT "https://api.hookdeck.com/2025-07-01/sources/src_123456789/disable" \ -H "Authorization: Bearer YOUR_API_KEY" ``` ## Enable a source Enabling a source returns that source to its previously active state. ### Dashboard 1. Open the [Connections](https://dashboard.hookdeck.com/connections) page. 2. Click the disabled source you wish to enable. 3. Click ••• button in the bottom right corner of the popup. 4. Click Enable Source. ### API `PUT /2025-07-01/sources/:id/enable` **Response example** ```json { "id": "src_qa5626p6y5o79b", "team_id": "tm_lbhzBKgFOUnB", "updated_at": "2026-01-14T13:36:41.959Z", "created_at": "2026-01-14T13:35:55.226Z", "name": "shopify", "description": null, "type": "WEBHOOK", "config": { "allowed_http_methods": [ "POST", "PUT", "PATCH", "DELETE" ], "custom_response": null }, "disabled_at": null, "url": "http://localhost:8787/qa5626p6y5o79b", "authenticated": false } ``` ```bash curl -X PUT "https://api.hookdeck.com/2025-07-01/sources/src_123456789/enable" \ -H "Authorization: Bearer YOUR_API_KEY" ``` Hookdeck will resume ingesting requests from the enabled source. You may need to enable the associated connection(s) when the source was disabled or create new connections. Requests received from the source while it was disabled will not be available for replay. ## Delete a source Deleting a source permanently disables inbound requests at the associated Hookdeck URL. Hookdeck will return an HTTP 410 status code for any request received on your Source URL. Associated event and request data is retained for the remainder of your retention window and will be displayed with a `Source Deleted` label. > This process also deletes all the connections that rely on the source. ### Dashboard 1. Open the [Connections](https://dashboard.hookdeck.com/connections) page. 2. Click the source you wish to delete. 3. Click ••• button in the bottom right corner of the popup. 4. Click Delete Source. 5. Click Delete in the confirmation dialog. ### API `DELETE /2025-07-01/sources/:id` **Response example** ```json { "id": "src_qa5626p6y5o79b" } ``` ```bash curl -X DELETE "https://api.hookdeck.com/2025-07-01/sources/src_123456789" \ -H "Authorization: Bearer YOUR_API_KEY" ``` Once a source has been deleted, it will disappear from your list of sources and the Connections page.