How do I know a webhook really came from my sender?

Set the source to HMAC or bearer auth. In HMAC mode ingestlayer recomputes HMAC-SHA256 over the raw body and compares it to the X-Ingest-Signature header in constant time, rejecting anything that doesn't match before the event enters the pipeline.

What stops a retry from being processed twice?

Send an X-Ingest-Idempotency-Key header. Ingest is deduplicated on it, so a sender that retries on a timeout still produces exactly one event.

Can I reshape the payload before it lands?

Yes — the body arrives as-is, then the transform action maps it to whatever shape your destination expects, so a third party's field names never leak into your Slack message or your Postgres columns.

ingestlayer/recipes/v0.4

HTTP webhook → Postgres

Any service that can send an HTTP request becomes a source. ingestlayer generates an ingest URL — https://in.ingestlayer.com/whk/<token> — and every POST to it becomes one event.

01source

sourcewebhook.inHTTP webhook

matchorder.created

02pipeline · 3 steps

01MUTtransformreshape the body to your schema
02CTLdedupedrop replays by id
03CTLfilter.matchroute only what matches

03destinations · 1

towarehouse.pgPostgres
tableevents.signups

how events arrive

01
create the endpoint
Add an HTTP webhook source. ingestlayer generates a unique URL of the form https://in.ingestlayer.com/whk/<token> that accepts any HTTP POST.
02
choose auth
HMAC signing (the default) or a bearer token. In signed mode the sender includes an X-Ingest-Signature header — the hex HMAC-SHA256 of the raw body — which ingestlayer recomputes and compares in constant time, rejecting anything that doesn't match. An unauthenticated mode exists for local testing.
03
send your events
POST JSON to the URL. The body becomes the event payload; if it carries a string `type` that becomes the event type, otherwise ingestlayer stamps webhook.in.received. Rename or reshape fields with the transform action downstream.

from http webhookdelivered

POST /whk/wh_3f8a HTTP/1.1
Host: in.ingestlayer.com
Content-Type: application/json
X-Ingest-Signature: 9f86d081884c…

{
  "type":     "order.created",
  "order_id": "ord_18f2",
  "amount":   4200,
  "currency": "eur",
  "email":    "ada@acme.com"
}

route it to Postgres

Insert each event as a row into a table in your own Postgres.

01
add the connection
Paste a Postgres connection string. Connections originate from our EU region — allowlist those egress IPs on your database.
02
point at a table
Name the target table. Top-level event fields map to columns, and the full payload is also available as a jsonb column.
03
map columns
Match event fields to columns with $event.* references, or accept the default mapping into a typed events table.

in postgresdelivered

INSERT INTO events.signups
  (user_id, email, plan, source, payload)
VALUES
  ('u_018f', 'ada@acme.com', 'pro',
   'marketing-site', '{ … }'::jsonb);

notes

The target table must already exist with compatible column types; ingestlayer never runs DDL on your database.
Connections come from fixed EU egress IPs — add them to your firewall, or inserts will time out.
Use a jsonb column for the full payload when your event shape changes often, so a new field never breaks the insert.

questions

How do I know a webhook really came from my sender?: Set the source to HMAC or bearer auth. In HMAC mode ingestlayer recomputes HMAC-SHA256 over the raw body and compares it to the X-Ingest-Signature header in constant time, rejecting anything that doesn't match before the event enters the pipeline.
What stops a retry from being processed twice?: Send an X-Ingest-Idempotency-Key header. Ingest is deduplicated on it, so a sender that retries on a timeout still produces exactly one event.
Can I reshape the payload before it lands?: Yes — the body arrives as-is, then the transform action maps it to whatever shape your destination expects, so a third party's field names never leak into your Slack message or your Postgres columns.

build this pipeline or read the quickstart →