Provider Template Reference
Detailed reference for all 13 webhook provider templates. Payload shapes, signature methods, headers, and event types for Stripe, GitHub, Shopify, Twilio, Slack, Paddle, Linear, SendGrid, Clerk, Discord, Vercel, GitLab, and Standard Webhooks.
Updated Mar 2026
Templates generate realistic payloads with correct headers and signatures. Use them from the dashboard, the SDK, or the MCP server.
Stripe
Signature: HMAC-SHA256 over {timestamp}.{body} in stripe-signature header.
| Event | Description |
|---|---|
payment_intent.succeeded | Payment completed |
checkout.session.completed | Checkout session paid |
invoice.paid | Invoice payment succeeded |
Payload shape:
{
"id": "evt_...",
"object": "event",
"api_version": "2025-01-27.acacia",
"created": 1700000000,
"data": {
"object": { "id": "pi_...", "amount": 2000, "currency": "usd", "status": "succeeded" }
},
"type": "payment_intent.succeeded",
"livemode": false
}Headers: stripe-signature, user-agent: Stripe/1.0
GitHub
Signature: HMAC-SHA256 over raw body in x-hub-signature-256 header (prefixed sha256=).
| Event | Description |
|---|---|
push | Code pushed to a branch |
pull_request.opened | Pull request opened |
ping | Webhook configuration test |
Payload shape (push):
{
"ref": "refs/heads/main",
"before": "abc...",
"after": "def...",
"repository": { "id": 123, "full_name": "org/repo" },
"commits": [{ "id": "def...", "message": "...", "timestamp": "..." }],
"pusher": { "name": "user", "email": "[email protected]" }
}Headers: x-github-event, x-github-delivery, x-hub-signature-256
Shopify
Signature: HMAC-SHA256 over raw body, base64-encoded in x-shopify-hmac-sha256 header.
| Event | Description |
|---|---|
orders/create | New order created |
orders/paid | Order payment done |
products/update | Product updated |
app/uninstalled | App removed by shop |
Payload shape (orders/create):
{
"id": 1234567890,
"email": "[email protected]",
"financial_status": "pending",
"total_price": "19.99",
"line_items": [{ "title": "Demo Item", "quantity": 1, "price": "19.99" }]
}Headers: x-shopify-topic, x-shopify-hmac-sha256, x-shopify-shop-domain, x-shopify-api-version, x-shopify-webhook-id
Twilio
Signature: HMAC-SHA1 over URL + sorted form params, base64-encoded in x-twilio-signature header.
| Event | Description |
|---|---|
messaging.inbound | Incoming SMS |
messaging.status_callback | Message delivery status |
voice.incoming_call | Incoming voice call |
Content-Type: application/x-www-form-urlencoded (not JSON)
Payload fields (messaging.inbound): AccountSid, MessageSid, From, To, Body, NumMedia, MessageStatus
Headers: x-twilio-signature
Slack
Signature: HMAC-SHA256 over v0:{timestamp}:{body} in x-slack-signature header (prefixed v0=).
| Event | Description | Content-Type |
|---|---|---|
event_callback | Events API event | application/json |
slash_command | Slash command invocation | application/x-www-form-urlencoded |
url_verification | Challenge handshake | application/json |
Payload shape (event_callback):
{
"type": "event_callback",
"team_id": "T...",
"api_app_id": "A...",
"event": { "type": "app_mention", "user": "U...", "text": "hello", "channel": "C..." },
"event_id": "Ev...",
"event_time": 1700000000
}Headers: x-slack-signature, x-slack-request-timestamp
Paddle
Signature: HMAC-SHA256 over {timestamp}:{body} in paddle-signature header (format ts={ts};h1={hex}).
| Event | Description |
|---|---|
transaction.completed | Payment completed |
subscription.created | New subscription started |
subscription.updated | Subscription changed |
Payload shape:
{
"event_id": "uuid",
"event_type": "transaction.completed",
"occurred_at": "2026-03-20T...",
"notification_id": "uuid",
"data": { "id": "txn_...", "status": "completed", "customer_id": "ctm_...", "total": "49.00" }
}Headers: paddle-signature
Linear
Signature: HMAC-SHA256 over raw body in linear-signature header (prefixed sha256=).
| Event | Description |
|---|---|
issue.create | Issue created |
issue.update | Issue updated |
comment.create | Comment added |
Payload shape (issue.create):
{
"action": "create",
"type": "Issue",
"webhookTimestamp": "2026-03-20T...",
"data": { "id": "uuid", "identifier": "ENG-42", "title": "..." }
}Headers: linear-signature
SendGrid
Signature: None. SendGrid uses IP allowlisting, not HMAC signatures.
| Event | Description |
|---|---|
delivered | Email delivered to recipient |
open | Email opened |
bounce | Email bounced |
spam_report | Recipient marked as spam |
Payload shape: SendGrid sends a JSON array (not an object):
[
{
"email": "[email protected]",
"timestamp": 1700000000,
"event": "delivered",
"sg_event_id": "...",
"sg_message_id": "...",
"category": ["webhooks-cc-demo"]
}
]Headers: user-agent: SendGrid Event Webhook
Clerk
Signature: Standard Webhooks (Svix) — HMAC-SHA256 over {msgId}.{timestamp}.{body}, base64-encoded. Both webhook-* and svix-* headers are sent.
| Event | Description |
|---|---|
user.created | New user signed up |
user.updated | User profile changed |
user.deleted | User deleted |
session.created | New session started |
Payload shape (user.created):
{
"data": {
"id": "user_...",
"object": "user",
"first_name": "Webhook",
"last_name": "Tester",
"email_addresses": [{ "email_address": "[email protected]" }],
"created_at": 1700000000000
},
"object": "event",
"type": "user.created",
"timestamp": 1700000000000
}Headers: webhook-id, webhook-timestamp, webhook-signature, svix-id, svix-timestamp, svix-signature
Discord
Signature: Ed25519 (not HMAC). Templates include placeholder signature headers but cannot generate valid Ed25519 signatures from a shared secret. Use the SDK's verifyDiscordSignature(publicKey, request) separately for verification testing.
| Event | Description |
|---|---|
interaction_create | Slash command invocation |
message_component | Button/select menu interaction |
ping | Discord verification ping |
Payload shape (interaction_create):
{
"id": "...",
"application_id": "...",
"type": 2,
"data": { "id": "...", "name": "webhook-test", "type": 1 },
"guild_id": "...",
"channel_id": "...",
"member": { "user": { "username": "webhooks-cc-bot" } },
"token": "..."
}Interaction types: 1 = Ping, 2 = Application Command, 3 = Message Component
Headers: x-signature-timestamp (informational)
Vercel
Signature: HMAC-SHA1 over raw body, hex-encoded in x-vercel-signature header.
| Event | Description |
|---|---|
deployment.created | Deployment started |
deployment.succeeded | Deployment completed |
deployment.error | Deployment failed |
Payload shape (deployment.created):
{
"id": "uuid",
"type": "deployment.created",
"createdAt": 1700000000000,
"payload": {
"deployment": { "id": "dpl_...", "name": "my-project", "url": "my-project-abc.vercel.app" },
"project": { "id": "prj_...", "name": "my-project" },
"team": { "id": "team_...", "name": "my-team" }
}
}Headers: x-vercel-signature
GitLab
Signature: Raw secret token in x-gitlab-token header (string comparison, not HMAC).
| Event | Description |
|---|---|
push | Code pushed |
merge_request | Merge request event |
Payload shape (push):
{
"object_kind": "push",
"event_name": "push",
"ref": "refs/heads/main",
"project": { "id": 12345, "name": "demo-repo", "web_url": "https://gitlab.com/..." },
"commits": [{ "id": "abc...", "message": "...", "timestamp": "..." }],
"total_commits_count": 1
}Headers: x-gitlab-token, x-gitlab-event (Push Hook or Merge Request Hook)
Standard Webhooks
Signature: HMAC-SHA256 over {msgId}.{timestamp}.{body}, base64-encoded in webhook-signature header. Used by Polar.sh, Svix, Resend, Liveblocks, and Novu.
| Event | Description |
|---|---|
order.created | New order placed |
invoice.paid | Invoice paid |
subscription.active | Subscription activated |
Payload shape:
{
"type": "order.created",
"timestamp": "2026-03-20T12:00:00Z",
"data": {
"id": "ord_...",
"customer_id": "cust_...",
"amount": "49.00",
"currency": "usd",
"status": "completed"
}
}Headers: webhook-id, webhook-timestamp, webhook-signature