Webhooks
Send signed webhook payloads to external systems when events happen in your workspace.
Webhooks
Send data to your external systems when events happen in your workspace.
Setting Up Webhooks
Webhooks are configured as Actions:
- Go to Actions
- Create a new action with trigger (e.g., "Data Record Created")
- Select Send Webhook as the action type
- Enter your HTTPS endpoint URL — Gravity Rail rejects
http://URLs in production because webhook payloads can include PHI (member name, email, phone, DataRecord field values), and HIPAA 45 CFR 164.312(e)(2)(ii) requires that PHI be encrypted in transit.http://URLs are still permitted in development environments for local testing againstlocalhost/webhook.site/host.docker.internal.
Security
Request signing
When an event rule's webhook action has a signing secret configured, Gravity Rail sends an HMAC-SHA256 signature on every delivery:
- Header:
X-Webhook-Signature - Format:
t={unix_timestamp},v1={hex_digest} - Signed message: the ASCII string
{timestamp}.concatenated with the raw JSON body bytes (exactly as sent on the wire) - Secret: auto-generated per event rule on creation; view or rotate it in the rule's webhook action settings (not under API Keys)
Reject requests when the timestamp is more than five minutes old (replay protection). Compare signatures with a constant-time function.
Python:
python
Node.js:
javascript
Payloads are JSON in the request body. Signing is optional per rule; rules without a secret still deliver over HTTPS in production.
Payload Examples
Data Record Created
json
Member Updated
json
Testing
- Use webhook.site for development
- Create a test action pointing to your test URL
- Trigger the event
- Verify the payload arrives and the
X-Webhook-Signatureheader validates (if signing is enabled)
Tips
- HTTPS is enforced in production - The API rejects
http://URLs at create/update time with a 400 error so PHI in webhook payloads is never transmitted unencrypted (HIPAA 45 CFR 164.312(e)(2)(ii)). Existing rules withhttp://URLs are also blocked at delivery time and surfaced aswebhook_url_blockedin the rule UI — update the URL tohttps://to resume delivery. - Handle retries - Implement idempotent handlers
- Check logs - Failed webhooks appear in action logs
Related
- Actions — Configure webhook triggers and conditions
- CEL Expressions — Write conditions to control when webhooks fire
- Template Variables — Dynamic variables available in webhook payloads
Related Resources
Template Variables
Personalize messages and notifications with dynamic variables like member names and form data.
Toolkits
Create custom tools and integrate external services for your AI workflows.
Healthcare MCP Integration Examples
Healthcare-specific examples for connecting EHR systems, scheduling, lab results, pharmacy, and clinical decision support via MCP and custom toolkits.
All Guides
Browse all available guides