Configure the webhook

To configure a webhook for your environment, head to environment settings and set your webhook options. There are two fields:

Webhook URLThis is the webhook endpoint you want hotglue to send POST requests to
Webhook SecretOptional - if provided, hotglue will generate a signature of every payload using this secret and include it as the X-Hub-Signature in the request headers. Used to verify the payload is from hotglue.

Webhook payload

hotglue will send a webhook POST request to your hook every time a job moves forward in the job lifecycle. You can read about the job lifecycle here.

Example payload


  "job_id": "16FzN",
  "env_id": "",
  "flow_id": "l8odS2mce",
  "job_name": "test_job:kr8J8ks-u",
  "tenant": "default",
  "started_by": "default",
  "s3_root": "default/flows/l8odS2mce/jobs/16FzN",
  "start_time": "2020-12-30T20:29:21.614299+00:00",
  "state": {},
  "tap": "quickbooks:sandbox",
  "status": "JOB_COMPLETED",
  "task_id": "dab752626e3944db960b7c9cc9ab3a25",
  "last_updated": "2020-12-30T20:31:00.081282+00:00"

Validating the signature

If you’ve chosen to set a webhook secret, we will send an X-Hub-Signature in the request headers to your webhook URL. The purpose of this is to verify that the payload came from hotglue.

See below for sample logic for how to validate the signature using JavaScript.

// Get the X-Hub-Signature header
const signature = req.normalizedHeaders['x-hub-signature'];
// Get the payload of the webhook as a string
const payload = typeof req.rawBody == "object" ? JSON.stringify(req.rawBody) : req.rawBody;
// Get your webhook secret
const secret = hotGlue.webhookSecret;

// Compute the signature using the above parameters
const computedSignature = crypto.createHmac('sha1', secret).update(payload).digest("hex");

const checksum = Buffer.from(signature, 'utf8');
const newChecksum = Buffer.from(computedSignature, 'utf8');

// Verify that the signature matches the X-Hub-Signature that was passed to you
if (checksum.length !== computedSignature.length || !crypto.timingSafeEqual(newChecksum, checksum)) {
  // This signature is invalid, and was not sent by hotglue
  console.error("Unable to verify Signature " + payload);
  return false;

// The signature was valid, it is safe to act on this webhok payload
console.log("Verified Payload Signature !");
return true;