Zapier and Make
Catch a Hypeline change event in Zapier or Make. Use Catch Hook for speed, Catch Raw Hook plus a Code step to verify the signature, and a Make custom webhook seeded by a test send.
Zapier and Make both turn an inbound HTTP POST into a workflow trigger. This recipe registers a Hypeline webhook destination against each platform's inbound URL, following the mental model from the automation platforms overview: an alert delivers to a webhook destination, and here that destination is the platform's catch URL.
Zapier: fast path with Catch Hook
Use this when you want to map fields quickly and are willing to trust the unguessable catch URL as your secret.
- In Zapier, add a Webhooks by Zapier trigger and choose Catch Hook. Zapier mints a URL like
https://hooks.zapier.com/hooks/catch/123456/abcdef/. - Register that URL as a Hypeline destination. Use a scoped alert so the Zap only fires for the query you care about:
curl -X POST https://api.hypeline.io/v1/alerts/{alert_id}/destinations \
-H "Authorization: Bearer $YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"kind":"webhook","url":"https://hooks.zapier.com/hooks/catch/123456/abcdef/","delivery_mode":"instant"}'- Fire a sample so Zapier learns the shape:
POST /v1/destinations/{id}/testsends one signed sample delivery. - Map the fields Zapier surfaces. Catch Hook flattens nested JSON, so you get top-level fields (
id,url,title,emitted_at,source_type) plus flattened children for nested objects, for examplediff__addedandtags[]entries.
Dedup: add a Filter or a Storage by Zapier check keyed on id (the event UUIDv7) so an at-least-once redelivery does not run the Zap twice.
Zapier: verified path with Catch Raw Hook
Use this when you want to verify the Standard Webhooks HMAC. Catch Raw Hook hands your Zap the unparsed body and headers, so a Code step can check the signature over the exact bytes.
- Add Webhooks by Zapier > Catch Raw Hook and register its URL exactly as above.
- Add a Code by Zapier step (Run JavaScript; Node's
cryptois available). It verifies the HMAC, checks freshness, then parses:
const crypto = require("crypto");
// inputData.rawBody, inputData.id, inputData.ts, inputData.sig are mapped from
// the Catch Raw Hook body and the webhook-id / webhook-timestamp / webhook-signature
// headers. inputData.secret is your whsec_ secret (store it in the step, not inline).
function signingKey(secret) {
const body = secret.startsWith("whsec_") ? secret.slice(6) : secret;
const raw = Buffer.from(body, "base64");
return raw.length > 0 ? raw : Buffer.from(secret);
}
const key = signingKey(inputData.secret);
const mac = crypto.createHmac("sha256", key);
mac.update(`${inputData.id}.${inputData.ts}.`);
mac.update(inputData.rawBody);
const want = "v1," + mac.digest("base64");
const ok = inputData.sig.split(" ").some((got) => {
const a = Buffer.from(got);
const b = Buffer.from(want);
return a.length === b.length && crypto.timingSafeEqual(a, b);
});
if (!ok) throw new Error("bad signature");
if (Math.abs(Date.now() / 1000 - Number(inputData.ts)) > 300) {
throw new Error("stale timestamp");
}
const event = JSON.parse(inputData.rawBody);
output = { id: event.id, url: event.url, title: event.title, tags: event.tags };Downstream steps map from the Code step's output, and you dedup on output.id.
Make: custom webhook seeded by a test send
Make auto-detects nested JSON structure, so mapping is native once it has seen a real sample.
- In Make, add a Custom webhook module and copy its URL (
https://hook.eu2.make.com/...). - Register it as a Hypeline destination:
curl -X POST https://api.hypeline.io/v1/alerts/{alert_id}/destinations \
-H "Authorization: Bearer $YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"kind":"webhook","url":"https://hook.eu2.make.com/YOUR_HOOK_ID","delivery_mode":"instant"}'- Click Determine data structure in the webhook module, then fire a real sample with
POST /v1/destinations/{id}/test. Make captures it and builds the mapping tree, including nesteddiffandtags, so downstream modules reference fields natively.
Make has no native HMAC verification
Make cannot recompute the Standard Webhooks HMAC on the inbound POST. Treat the custom webhook URL as a secret (it is unguessable), and for content authenticity add a downstream step that verifies the event's Ed25519 signature against the published JWKS. That check holds even though Make parsed the JSON.
Dedup: route on the id field with a filter or a data store keyed by id so a redelivery does not run the scenario twice.
Shared notes
- Every path here pins
delivery_mode: "instant": one event perPOST. A digest destination posts a batch wrapper with aneventsarray, which these mappings do not expect. - Destination URLs must be public HTTPS. Zapier and Make catch URLs already are, so no tunnel is needed.