Zapier and Make

Catch a Hypeline change event in Zapier or Make. Use Catch Hook for speed, Catch Raw Hook plus a Code step to verify the signature, and a Make custom webhook seeded by a test send.

Zapier and Make both turn an inbound HTTP POST into a workflow trigger. This recipe registers a Hypeline webhook destination against each platform's inbound URL, following the mental model from the automation platforms overview: an alert delivers to a webhook destination, and here that destination is the platform's catch URL.

Zapier: fast path with Catch Hook

Use this when you want to map fields quickly and are willing to trust the unguessable catch URL as your secret.

  1. In Zapier, add a Webhooks by Zapier trigger and choose Catch Hook. Zapier mints a URL like https://hooks.zapier.com/hooks/catch/123456/abcdef/.
  2. Register that URL as a Hypeline destination. Use a scoped alert so the Zap only fires for the query you care about:
bash
curl -X POST https://api.hypeline.io/v1/alerts/{alert_id}/destinations \
  -H "Authorization: Bearer $YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"kind":"webhook","url":"https://hooks.zapier.com/hooks/catch/123456/abcdef/","delivery_mode":"instant"}'
  1. Fire a sample so Zapier learns the shape: POST /v1/destinations/{id}/test sends one signed sample delivery.
  2. Map the fields Zapier surfaces. Catch Hook flattens nested JSON, so you get top-level fields (id, url, title, emitted_at, source_type) plus flattened children for nested objects, for example diff__added and tags[] entries.

Dedup: add a Filter or a Storage by Zapier check keyed on id (the event UUIDv7) so an at-least-once redelivery does not run the Zap twice.

Zapier: verified path with Catch Raw Hook

Use this when you want to verify the Standard Webhooks HMAC. Catch Raw Hook hands your Zap the unparsed body and headers, so a Code step can check the signature over the exact bytes.

  1. Add Webhooks by Zapier > Catch Raw Hook and register its URL exactly as above.
  2. Add a Code by Zapier step (Run JavaScript; Node's crypto is available). It verifies the HMAC, checks freshness, then parses:
javascript
const crypto = require("crypto");

// inputData.rawBody, inputData.id, inputData.ts, inputData.sig are mapped from
// the Catch Raw Hook body and the webhook-id / webhook-timestamp / webhook-signature
// headers. inputData.secret is your whsec_ secret (store it in the step, not inline).
function signingKey(secret) {
  const body = secret.startsWith("whsec_") ? secret.slice(6) : secret;
  const raw = Buffer.from(body, "base64");
  return raw.length > 0 ? raw : Buffer.from(secret);
}

const key = signingKey(inputData.secret);
const mac = crypto.createHmac("sha256", key);
mac.update(`${inputData.id}.${inputData.ts}.`);
mac.update(inputData.rawBody);
const want = "v1," + mac.digest("base64");

const ok = inputData.sig.split(" ").some((got) => {
  const a = Buffer.from(got);
  const b = Buffer.from(want);
  return a.length === b.length && crypto.timingSafeEqual(a, b);
});

if (!ok) throw new Error("bad signature");
if (Math.abs(Date.now() / 1000 - Number(inputData.ts)) > 300) {
  throw new Error("stale timestamp");
}

const event = JSON.parse(inputData.rawBody);
output = { id: event.id, url: event.url, title: event.title, tags: event.tags };

Downstream steps map from the Code step's output, and you dedup on output.id.

Make: custom webhook seeded by a test send

Make auto-detects nested JSON structure, so mapping is native once it has seen a real sample.

  1. In Make, add a Custom webhook module and copy its URL (https://hook.eu2.make.com/...).
  2. Register it as a Hypeline destination:
bash
curl -X POST https://api.hypeline.io/v1/alerts/{alert_id}/destinations \
  -H "Authorization: Bearer $YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"kind":"webhook","url":"https://hook.eu2.make.com/YOUR_HOOK_ID","delivery_mode":"instant"}'
  1. Click Determine data structure in the webhook module, then fire a real sample with POST /v1/destinations/{id}/test. Make captures it and builds the mapping tree, including nested diff and tags, so downstream modules reference fields natively.

Make has no native HMAC verification

Make cannot recompute the Standard Webhooks HMAC on the inbound POST. Treat the custom webhook URL as a secret (it is unguessable), and for content authenticity add a downstream step that verifies the event's Ed25519 signature against the published JWKS. That check holds even though Make parsed the JSON.

Dedup: route on the id field with a filter or a data store keyed by id so a redelivery does not run the scenario twice.

Shared notes

  • Every path here pins delivery_mode: "instant": one event per POST. A digest destination posts a batch wrapper with an events array, which these mappings do not expect.
  • Destination URLs must be public HTTPS. Zapier and Make catch URLs already are, so no tunnel is needed.