How to set up webhooks in n8n

Add a Webhook node to a workflow. The node panel shows two URLs: "Test URL" and "Production URL."

Test URL: works only while the n8n editor is open AND you have clicked "Listen for Test Event." This is for development.

Production URL: works when the workflow is set to Active. This is the URL you give vendors.

Critical: copying the Test URL into Stripe/Typeform/etc. is the #1 webhook setup mistake. It works during your testing session and stops working the moment you close the tab. Vendors retry for a while, then stop. Weeks of data lost silently.

Always: build with Test URL, then switch to Production URL before going live.

In the Webhook node settings:

- HTTP Method: usually POST (most webhooks). GET for callback-style integrations.

- Path: leave the default UUID OR set a custom path like `stripe-payments`. Custom paths are easier to remember but less secure.

- Response Mode: "Respond Immediately" sends a 200 OK as soon as n8n receives the webhook (recommended — fast vendor acknowledgement). "Respond When Last Node Finishes" waits for the entire workflow to complete (slow; risks vendor timeout).

- Authentication: "None" for vendors that sign payloads (Stripe, GitHub). "Header Auth" for shared-secret vendors. "Basic Auth" for legacy integrations.

Save the workflow. Copy the Production URL.

Most reputable webhook senders sign payloads with HMAC. The signature is in a header (e.g., `Stripe-Signature`, `X-Hub-Signature-256`).

In the next node after Webhook, add a Code or Function node:

```

const crypto = require('crypto')

const signature = $input.first().headers['stripe-signature']

const secret = $env.STRIPE_WEBHOOK_SECRET

const body = JSON.stringify($input.first().body)

// vendor-specific signature verification

const expected = crypto.createHmac('sha256', secret).update(body).digest('hex')

if (signature !== expected) throw new Error('Invalid signature')

return $input.all()

```

Without signature validation, anyone who guesses or scans your webhook URL can inject fake data into your workflow. Skipping this is a real security issue, not a theoretical one.

If the workflow takes longer than ~10 seconds to complete, the vendor will time out and retry. You will see the same webhook fire multiple times.

Pattern 1 (recommended): "Respond Immediately" mode. The Webhook node returns 200 OK instantly. The rest of the workflow processes async. Fast and safe.

Pattern 2: "Respond When Last Node Finishes." Only use when the vendor needs your processed response. Keep the workflow under 8 seconds total.

For long-running workflows, use Pattern 1 + a "Respond to Webhook" node later in the flow if you need to return data. The Respond to Webhook node sends the response back to the original caller even after async processing.

In the vendor dashboard, find the test/replay feature: Stripe Dashboard → Webhooks → Send test event. Typeform → Connect → Test webhook.

Send a real test from the vendor. Watch the n8n Executions tab in real-time.

Verify three things: (1) the execution appears within a few seconds, (2) the request body matches what you expected, (3) the signature validation passes.

If anything fails, check the vendor side too — most vendor dashboards have a "delivery log" showing the response code n8n returned. A 500 there tells you n8n received the request but errored; a timeout there tells you n8n is taking too long; a 404 means the URL is wrong.

Most webhook senders include a unique event ID (e.g., `evt_1234` from Stripe). Use it.

Add a "deduplication" check early in the workflow: store recently-seen event IDs in a small store (Redis, Postgres, n8n Data Tables, or a Google Sheet).

If the event ID has been seen in the last 24 hours, short-circuit the workflow — return 200 to the vendor but skip downstream actions.

Without this, every Stripe payment that times out + retries creates duplicate records, duplicate emails, duplicate Slack notifications. Idempotency is non-negotiable for webhooks that mutate data.