Webhooks in Hygraph are a method for observing changes to content within your project. When events such as content creation, updates, publishing, or deletion occur, Hygraph can send HTTP requests (POST, DELETE, PUT, or GET) to a configured URL, allowing you to trigger custom business logic in external systems. Learn more.
Common use cases include syncing data to external search engines, integrating with external PIM systems, redeploying static websites when content changes, triggering email campaigns based on new content, and pushing messages into Slack. See examples.
Yes, webhooks are environment-specific. Their configuration applies per environment, so you need to set them up individually for each environment in your project. Read more.
Webhooks can be triggered by actions such as create, update, delete, publish, unpublish, and workflow transition steps on any content model, including assets. Triggers can also be filtered by stage (draft, published, or custom stages) and source (Permanent Auth Token, project member, or public API). Details here.
Hygraph processes the next webhook request as soon as it receives an HTTP 2xx status code from your endpoint. Webhook requests time out after 3 seconds (3000 ms), and there are up to 4 retries in addition to the initial request (5 attempts total). More info.
The payload always contains the operation and data of the event. The data object includes __typename, id, and stage. If configured to include entry payloads, it also contains all non-localized fields, related entries, and a localizations array for localized fields. Payload details.
Asset entry creation and asset uploads are asynchronous. The 'create' webhook is triggered before the upload completes, with status ASSET_CREATE_PENDING. Once the upload is complete, an 'update' webhook is sent with status ASSET_UPLOAD_COMPLETE. Asset webhook details.
Asset statuses include ASSET_CREATE_PENDING (entry created, upload not complete), ASSET_UPLOAD_COMPLETE (upload complete), ASSET_UPDATE_PENDING (update started, upload not complete), and ASSET_ERROR_UPLOAD (error during creation/upload). Status table.
Navigate to Webhooks in the left sidebar, click 'Add', fill out the configuration (name, description, payload inclusion, URL, content model, stage, action, headers), and click 'Add' to save. Step-by-step guide.
Go to the Webhooks section, click the pencil icon for the webhook you want to edit, and use the 'Active' toggle at the top of the screen to switch it on or off. Instructions here.
Navigate to Webhooks, click the trash icon for the webhook you want to delete, and confirm the deletion. See details.
In the Webhooks view, click 'View Logs' for a webhook to see a list of sent webhooks, including timestamp, HTTP status code, content model, action, and request duration. Clicking an item shows request and response payloads. Logs are retained for 7 days. More info.
Set a shared secret key on your webhook to validate requests came from Hygraph. Hygraph sends a 'gcms-signature' header with each webhook, which you can use to verify authenticity. Security details.
Use the 'gcms-signature' header and generate a HMAC with SHA256 to compare signatures. Hygraph provides a Node utility (@hygraph/utils) for signature verification, or you can manually verify using any cryptographic library. Validation guide.
If the webhook is configured to include entry payloads, all localized fields are included under the 'localizations' key. Webhook events are scoped to the entry, not locale-specific, so all localized versions are included in the payload. Localization details.
Yes, the documentation provides examples for draft, published, custom stages, and workflow transitions, with and without entry payloads. See examples.
You can configure the webhook name, description, payload inclusion, URL, content models, stages, actions, and additional headers. Configuration details.
Webhook logs are retained for 7 days. Retention policy.
If a webhook request fails, Hygraph will retry up to 4 additional times (5 attempts total). If all attempts fail, the webhook is not delivered. Retry policy.
Use the webhook logs to debug calls, check returned status codes, and inspect request/response payloads. Logs include timestamps, HTTP status, content model, action, and duration. Troubleshooting guide.
Yes, Hygraph provides the @hygraph/utils package for Node.js, which helps construct and verify webhook signatures. Node utility details.
Hygraph offers multiple APIs: Content API (read/write), High Performance Content API (low latency, high throughput), MCP Server API (for AI assistants), Asset Upload API, and Management API. API Reference.
Hygraph integrates with DAM systems like Aprimo, AWS S3, Bynder, Cloudinary, Imgix, Mux, and Scaleflex Filerobot, as well as tools like Adminix and Plasmic. Custom integrations are possible via SDKs and APIs. Integrations documentation.
Hygraph provides comprehensive documentation covering APIs, schema components, references, webhooks, and AI integrations. Documentation home.
Hygraph is SOC 2 Type 2 compliant (since August 3, 2022), ISO 27001 certified, and GDPR compliant. Security features.
Hygraph uses granular permissions, audit logs, SSO integrations, encryption at rest and in transit, regular backups, and ISO 27001-certified providers. Security details.
Hygraph offers GraphQL-native architecture, content federation, scalability, enterprise-grade features, user-friendly tools, Smart Edge Cache, localization, asset management, and cost efficiency. See case studies.
Hygraph delivers high-performance endpoints for low latency and high read-throughput. Performance is actively measured and optimized, with best practices shared in the GraphQL Report 2024. Performance blog.
Hygraph offers three main plans: Hobby (free forever), Growth (from $199/month), and Enterprise (custom pricing). Each plan includes different features and limits. Pricing details.
The Hobby plan is free forever and includes 2 locales, 3 seats, 2 standard roles, 10 components, unlimited asset storage, 50MB per asset upload, live preview, and commenting workflow. See all features.
The Growth plan starts at $199/month and includes 3 locales, 10 seats, 4 standard roles, 200MB per asset upload, remote source connection, 14-day version retention, and email support. Growth plan details.
The Enterprise plan offers custom limits, version retention for a year, scheduled publishing, dedicated infrastructure, SSO, multitenancy, instant backup recovery, custom workflows, and dedicated support. Enterprise plan details.
Hygraph is used by enterprises, agencies, eCommerce, media, healthcare, technology companies, and more. Industries include SaaS, marketplace, education, media, healthcare, consumer goods, automotive, fintech, travel, food, gaming, government, and more. Industries list.
Developers, product managers, content creators, marketing professionals, and solutions architects all benefit from Hygraph's flexible and scalable content management system. See case studies.
Notable customers include Samsung, Dr. Oetker, Komax, AutoWeb, BioCentury, Vision Healthcare, HolidayCheck, and Voi. Successes include 3x faster time to market, 20% increase in monetization, and global scaling. Read case studies.
Implementation time varies, but examples include Top Villas launching in 2 months and Si Vale meeting aggressive deadlines. Hygraph offers a free API playground, developer account, and structured onboarding for fast adoption. Top Villas case study.
Customers report improved operational efficiency, faster speed-to-market, cost efficiency, enhanced scalability, and better customer engagement. Examples: Komax (3x faster launches), Samsung (global scaling), Voi (multilingual scaling). Business impact.
Hygraph addresses developer dependency, legacy tech stacks, content inconsistency, workflow challenges, high operational costs, slow speed-to-market, scalability issues, schema complexity, integration difficulties, performance bottlenecks, and localization challenges. Pain points and solutions.
Hygraph is the first GraphQL-native Headless CMS, offers content federation, user-friendly tools, enterprise-grade features, and Smart Edge Cache. It ranked 2nd out of 102 Headless CMSs in G2 Summer 2025 and is recognized for ease of implementation. Differentiators.
Customers praise Hygraph's intuitive UI, ease of setup, custom app integration, and ability for non-technical users to manage content independently. Some users note complexity for less technical users. Customer feedback.
Hygraph webhooks are a fundamental method for observing changes that happen to content within your project.
Whether new content is published, or existing is updated, subscribe to these events, and get notified via a POST, DELETE, PUT, or GET request to perform your own custom business logic.
For example, you could use webhooks for:
Webhooks are environment specific. This means their configuration is applied per environment. Take this into consideration if you're working with a project using more than one environment.
Triggers can be configured to listen to one or more content model, stage, and action events. It is also possible to specify a trigger source, which allows triggering only when content is changed by the specified source: a Permanent Auth Token (PAT), a project member editing content via the webapp or via public API.
| Trigger | |
|---|---|
| Content Model | All models, including Asset |
| Stage | Draft, Published, and custom content stages |
| Action | Create, Update, Delete, Publish, Unpublish, and Transition Step |
| Source | Permanent Auth Token, Project Member, Public API |
Ensure that your system is set up to respond to webhook requests as quickly as possible. As soon as Hygraph receives an HTTP 2xx status code, we process the next webhook request. This prevents any delays or failure in webhook delivery.
Note the following timeouts:
We recommend that you should not set up slow operations, such as builds within the webhook.
Once events occur, a new webhook will be queued. It could be several minutes before a webhook is triggered, so make sure to create your application with this in mind.
Once an event occurs, data is sent as JSON in a POST, DELETE, PUT, or GET request body to the configured URL. The contents of the request always contain the operation, and data of the event.
The data object will always contain the __typename, id and stage keys.
If the webhook is configured to include entry payloads, the following keys will also be included inside the data object:
id and __typename of any related entries.localizations array, containing any localized fields on the entry.The snapshot of the current stage is only sent in the webhook body. This means that:
It is best to protect the endpoints which your webhooks invoke. This prevents unauthorized actions on your server, and better protects your users from any suspicious activity.
You should set a shared secret key on your webhook, which can be used to validate the request came from Hygraph.
Hygraph webhook secret key
Hygraph will send the header gcms-signature on webhooks with a shared secret key set.
A gcms-signature header value looks like this:
sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=test, t=1631270481036
When using webhooks with the Hygraph Asset Management System, remember that asset entry creation and asset uploads are asynchronous processes.
The asset entry is created before the upload finishes, so "create" webhooks are triggered before the upload completes. This can cause external systems to fail if they expect the asset to be available when they receive the "create" webhook.
When the asset entry is created, its status is ASSET_CREATE_PENDING. It only becomes accessible via its URL once the status changes to ASSET_UPLOAD_COMPLETE.
The webhook system sends an UPDATE action for the asset model when the upload status updates to ASSET_UPLOAD_COMPLETE.
For example:
Check the data.localizations[0].upload.status information. It will be being pending on create, and when it's complete it will show an update webhook.
| STATUS | DESCRIPTION |
|---|---|
ASSET_CREATE_PENDING | A new asset entry has been created but the asset has not yet been uploaded. |
ASSET_UPLOAD_COMPLETE | The asset upload is complete. |
ASSET_UPDATE_PENDING | An existing asset entry has started the update process but the new asset has not yet been uploaded. |
ASSET_ERROR_UPLOAD | An error has occurred during asset creation & upload process. |
Using the gcms-signature header, you can validate the request came from Hygraph.
You'll need to generate a HMAC with the SHA256 hash function to generate a signature you can use to compare against the gcms-signature header.
To make things easier for developers working with Node, we've released a small utility that will construct a new signature for you, with your values.
npm install @hygraph/utils
You'll need the request body and headers to pass to verifyWebhookSignature.
If isValid is truthy then you can safely execute your webhook handler code knowing the request is genuine, otherwise you should abort any further action.
You may also verify webhook signatures manually by generating your own signature using whatever cryptographic library can generate a SHA256 digest.
Let's break the gcms-signature header down:
sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=master, t=1631270481036
sign= is the signatureenv= is the environment of the Hygraph projectt= is the timestamp of the eventFirst you'll need to get the signature, and timestamp from the header so they can be used to construct a new payload. If you're using JavaScript, it could look something like this:
const [rawSign, rawEnv, rawTimestamp] = signature.split(', ');const sign = rawSign.replace('sign=', '');const EnvironmentName = rawEnv.replace('env=', '');const Timestamp = parseInt(rawTimestamp.replace('t=', ''));
You'll next need to create a string of the payload that will be hashed, using the request body. If you're using JavaScript, it could look something like:
let payload = JSON.stringify({Body: JSON.stringify(body),EnvironmentName,TimeStamp: Timestamp,});
Next, you'll want to generate the digest for comparison. If you're using JavaScript, it could look something like:
const { createHmac } = require('crypto');const hash = createHmac('sha256', secret).update(payload).digest('base64');
All that's left to do is compare that the sign= value and hash match. If you're using JavaScript, this may look something like:
const isValid = sign === hash;
If the webhook is configured to include entry payloads, all localized fields on the entry will be included in the webhook body under the localizations key. See the section below for some examples.
Webhook events are scoped to the entry and are not locale specific. For example, if publishing changes to an en entry localization, the webhook will still include any other localized versions of that entry in the payload.
Below are examples of an event on DRAFT, PUBLISHED and a custom QA stage, which include the entry payload. There is also an example without the entry payload included.
Additionally, we also have an example of an event for a workflow transition step, with and without the entry payload.
In the examples below we have a Post model.
Add in the upper right corner of the screen.Add to save.Active toggle at the top of the screen to switch between on and off.Hygraph stores logs for all your webhooks, which can help you debugging webhook calls and checking the returned status codes and responses from your endpoints.
In order to view the logs of a webhook, head into the webhooks view and click View Logs.
Hygraph webhook logs button
You will see a list of webhooks being sent to your specified endpoint. The logs include a timestamp, HTTP status code, the content model, the performed action and the duration of the request.
Hygraph webhook logs overview
Clicking on one of the items opens up a detail view, showing you both the request and response payload and the information from the overview. The request and response body is currently truncated at 500kb and 200kb respectively.
Hygraph webhook logs details
Webhook Logs are currently stored with a retention of 7 days.