Skip to main content
Inbound webhooks let external systems trigger automations in C1 by sending authenticated HTTP POST requests, so events in your HRIS, ticketing system, or CI/CD pipeline can initiate access management workflows automatically. For example, you can use inbound webhooks to:
  • Trigger an offboarding automation when an employee’s status changes to “Inactive” in Workday
  • Revoke sensitive access when a security tool detects a compromised account
  • Start an onboarding workflow when a new hire is created in BambooHR
  • Grant temporary access when a deployment pipeline needs elevated permissions

How it works

  1. You create an automation with an Incoming webhook trigger, choosing either HMAC or JWT authentication.
  2. C1 generates a unique webhook listener endpoint URL.
  3. Your external system sends authenticated POST requests to that URL with a JSON payload.
  4. C1 validates the request’s authentication and runs the automation, passing the webhook payload as context data that can be used in automation steps.

Set up an inbound webhook

A user with the Super Admin role in C1 must complete this task.
1
Navigate to Admin > Workflows > Automations and click New automation (or open an existing automation).
2
Click Set automation trigger and select Incoming webhook.
3
Choose an authentication method:
  • HMAC (recommended for simplicity): C1 generates a shared secret. You use this secret to sign each request.
  • JWT: You provide a JWKS URL where C1 can fetch your public keys. You sign each request with your private key.
See Authentication methods for details on each option.
4
Save the trigger configuration. C1 generates the full webhook endpoint URL and displays it in the drawer, ready to copy:
5
Add automation steps that use the webhook payload data, then Publish the automation.
6
Configure your external system to send POST requests to the webhook URL with the appropriate authentication headers. See Send a webhook request for the required headers and format.

Authentication methods

Every inbound webhook request must be authenticated. C1 supports two methods:

HMAC authentication

HMAC (Hash-based Message Authentication Code) uses a shared secret to sign requests. This is the simpler option, suitable for most use cases. How it works:
  1. When you configure the webhook trigger, C1 generates a 256-bit secret and provides it as a base64url-encoded string.
  2. For each request, you compute an HMAC-SHA256 signature over the timestamp, event ID, and request body.
  3. C1 verifies the signature against the stored secret.
Computing the signature: The signature input is the string {timestamp}.{event_id}.{body} (the three values joined with periods). Use the secret string exactly as provided (do not base64-decode it) as the HMAC key. Compute HMAC-SHA256, then base64url-encode the result (without padding).

JWT authentication

JWT (JSON Web Token) authentication uses public key cryptography. You host a JWKS (JSON Web Key Set) endpoint, and C1 fetches your public keys to verify request signatures. Supported algorithms: RS256, ES256, EdDSA How it works:
  1. You generate a key pair and host the public key as a JWKS endpoint.
  2. When you configure the webhook trigger, you provide the JWKS URL.
  3. For each request, you create a JWT with specific claims and sign it with your private key.
  4. C1 fetches your JWKS and verifies the JWT signature and claims.
1
Generate a key pairYou can use RSA, ECDSA, or Ed25519 keys. Here’s an example with RSA:
2
Create and host a JWKS documentFormat your public key as a JSON Web Key Set:
Host this document at a stable HTTPS URL (for example, a GitHub Gist raw URL, an S3 bucket, or your application’s /.well-known/jwks.json endpoint).
3
Configure the webhook triggerIn the automation’s webhook trigger settings, select JWT authentication and enter your JWKS URL.Required JWT claims:

Send a webhook request

All inbound webhook requests are HTTP POST requests to:

Required headers

Request body

The body must be valid JSON and cannot exceed 64 KB. The JSON content is passed to the automation as context data, accessible in automation steps and CEL expressions.

Response codes

Curl example

Here’s a minimal example using curl with HMAC authentication:

Security features

Inbound webhooks include several layers of protection against replay attacks and unauthorized access.

Idempotency

Each request includes a Webhook-Event-Id header with a UUID v4. If C1 receives a second request with the same event ID for the same listener, it returns a 409 response and does not re-run the automation. Event records are retained for 7 days.

Timestamp validation

The Webhook-Timestamp header must be within 5 minutes of the current server time. This prevents replay attacks where a captured request is resent later.

IP restrictions

You can optionally restrict inbound webhooks to specific source IP ranges by configuring allowed CIDRs on the webhook listener. Requests from IPs outside the allowed ranges are rejected with a 403 response.

Body integrity

Both authentication methods verify the integrity of the request body:
  • HMAC: The body is included in the HMAC signature input, so any modification invalidates the signature.
  • JWT: The htb_s256 claim contains a SHA-256 hash of the body, verified by C1.

Use webhook data in automation steps

The JSON body from the webhook request is available as context data within the automation. You can reference webhook payload fields in CEL expressions used in automation steps. For example, if your webhook sends:
You can access these values within your automation steps using these CEL expressions: ctx.trigger.employee_id and ctx.trigger.department (or if you prefer the map access format, use: ctx.trigger["employee_id"] and ctx.trigger["department"]).

Troubleshooting inbound webhook error codes