How do I know a webhook really came from my sender?

Set the source to HMAC or bearer auth. In HMAC mode ingestlayer recomputes HMAC-SHA256 over the raw body and compares it to the X-Ingest-Signature header in constant time, rejecting anything that doesn't match before the event enters the pipeline.

What stops a retry from being processed twice?

Send an X-Ingest-Idempotency-Key header. Ingest is deduplicated on it, so a sender that retries on a timeout still produces exactly one event.

Can I reshape the payload before it lands?

Yes — the body arrives as-is, then the transform action maps it to whatever shape your destination expects, so a third party's field names never leak into your Slack message or your Postgres columns.

ingestlayer/recipes/v0.4

HTTP webhook → Telegram

Any service that can send an HTTP request becomes a source. ingestlayer generates an ingest URL — https://in.ingestlayer.com/whk/<token> — and every POST to it becomes one event.

01source

sourcewebhook.inHTTP webhook

matchorder.created

02pipeline · 3 steps

01MUTtransformreshape the body to your schema
02CTLdedupedrop replays by id
03CTLfilter.matchroute only what matches

03destinations · 1

totelegramTelegram
chat@oncall

how events arrive

01
create the endpoint
Add an HTTP webhook source. ingestlayer generates a unique URL of the form https://in.ingestlayer.com/whk/<token> that accepts any HTTP POST.
02
choose auth
HMAC signing (the default) or a bearer token. In signed mode the sender includes an X-Ingest-Signature header — the hex HMAC-SHA256 of the raw body — which ingestlayer recomputes and compares in constant time, rejecting anything that doesn't match. An unauthenticated mode exists for local testing.
03
send your events
POST JSON to the URL. The body becomes the event payload; if it carries a string `type` that becomes the event type, otherwise ingestlayer stamps webhook.in.received. Rename or reshape fields with the transform action downstream.

from http webhookdelivered

POST /whk/wh_3f8a HTTP/1.1
Host: in.ingestlayer.com
Content-Type: application/json
X-Ingest-Signature: 9f86d081884c…

{
  "type":     "order.created",
  "order_id": "ord_18f2",
  "amount":   4200,
  "currency": "eur",
  "email":    "ada@acme.com"
}

route it to Telegram

Message a person, group, or channel through a connected bot.

01
connect a bot
Create a bot with @BotFather and paste its token. We register the webhook and verify it in-region.
02
start a chat
Send /start to the bot from the target chat — or add it to the group/channel — then pick the chat from the list.
03
format the text
Messages use MarkdownV2; the default template bolds the event name and lists fields. Reserved characters in field values are escaped for you.

in telegramdelivered

oncall
*support.ticket.created*
ticket    T-4821
subject   API returning 500s
tier      enterprise
urgency   critical

notes

Telegram caps a bot at roughly 30 messages per second overall, and one per second to a single chat.
The bot must be added to a group — and promoted to admin for a channel — before it can post.
MarkdownV2 requires escaping characters like _ * [ ] ( ); ingestlayer escapes field values, but custom templates are your responsibility.

questions

How do I know a webhook really came from my sender?: Set the source to HMAC or bearer auth. In HMAC mode ingestlayer recomputes HMAC-SHA256 over the raw body and compares it to the X-Ingest-Signature header in constant time, rejecting anything that doesn't match before the event enters the pipeline.
What stops a retry from being processed twice?: Send an X-Ingest-Idempotency-Key header. Ingest is deduplicated on it, so a sender that retries on a timeout still produces exactly one event.
Can I reshape the payload before it lands?: Yes — the body arrives as-is, then the transform action maps it to whatever shape your destination expects, so a third party's field names never leak into your Slack message or your Postgres columns.

build this pipeline or read the quickstart →