POSTs a request to its endpoint. It’s the primary way to react to events from other services: signups, payments, CI events, and the like.
Example requests
Ask your coding agent which external event should kick off a run. It can create the endpoint and validate the payload.“When Stripe sends a payment succeeded webhook, update the customer record and start onboarding.”
“When we get a new GitHub issue, triage it and add the right labels.”
“When our app POSTs a new signup, enrich the profile and notify the sales channel.”
Define a webhook
UsedefineWebhookSource with a slug, an endpoint, and a request schema, then attach a target.
src/triggers/signup.ts
| Option | Required | What it does |
|---|---|---|
slug | Yes | Stable trigger slug (used in the attachment id and run history) |
endpoint | Yes | The route suffix; the webhook URL is POST /triggers/{endpoint} |
request | Yes | Zod schema the incoming body must match for the trigger to fire |
filter | No | Extra Zod constraints beyond request. See filtering. |
The webhook URL
The endpoint becomes the routePOST /triggers/{endpoint}. Print the full URL for a deployed trigger:
request, the trigger fires and starts a run. When it doesn’t, the request is rejected (or skipped, on a shared endpoint).
Webhooks ack asynchronously: the POST returns immediately — 202 with the runId when a trigger matches, or { ok: true, skipped: true } when none does — and the run executes in the background. The workflow’s output is not returned in the webhook response (there’s no “respond to webhook”). To return data to the caller, make an outbound call from the workflow, or have the caller poll the run via run history or the runs API.
Authenticating webhooks
Underkeystroke dev the local webhook endpoints are open, so the curl above works with no auth. On the deployed platform, each webhook route requires a webhook API key. keystroke triggers url returns the full URL with that key already included as a ?token= query parameter, so you can hand it straight to the sending system:
| Form | Example |
|---|---|
| Query | ?token=<key> or ?api_key=<key> |
| Header | Authorization: Bearer <key> |
| Header | x-api-key: <key> |
401.
Validation
Therequest schema is both the contract and the gate: only requests that parse against it fire the trigger. Model just the fields you care about; Zod ignores extra fields by default, so you don’t have to describe an entire third-party payload.
For constraints beyond shape (for example, “only invoice.paid events”), add an optional filter.
Exportable schemas
Webhookrequest and filter schemas are exported to JSON Schema at build time for platform filtering, the canvas, and run forms. They must be plain structural Zod — objects, strings, literals, unions, and built-in validators like .email() or .min(). Do not use code-based methods like .transform(), .preprocess(), .refine(), or .superRefine(); keystroke build will fail with an error explaining the fix.
When you need to remap or normalize fields (for example, coalescing two payload keys into one), keep the exported schema as the wire shape and remap in .attach({ transform }) or with a plain function at the top of run(). See advanced triggers — transform a workflow input.
input and output schemas when they are exported at build time.
Filtering
Afilter is a second Zod schema applied after request. Use it to narrow which payloads fire the trigger without changing the request contract:
transform shapes the input for the run. See advanced triggers for both.
Shared endpoints
Multiple trigger files can share the sameendpoint: one URL, many triggers, each with its own slug, request, filter, and transform. This is the pattern for a provider like Stripe that sends every event type to a single webhook URL.
{ ok: true, skipped: true }. List the triggers on a shared endpoint:
slug for run history (keystroke triggers runs list stripe-invoice-paid --workflow <workflow-slug>).
Next steps
Advanced triggers
Transform payloads, attach agents, and interpolate prompts.
App events
Point a webhook at a connected third-party app.
Schedules
Run on a cron schedule instead of an inbound request.
Triggers overview
Sources, attach, and attachment ids.