> ## Documentation Index
> Fetch the complete documentation index at: https://nango.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Receive webhooks from Nango
> Reference for the webhooks Nango sends to your app — setup, types, payloads, signature verification, and retries.
Nango POSTs webhooks to your app to notify it of important events: a new connection was created, a sync run finished, an async action completed, or an external webhook was forwarded. This page covers how to receive and verify webhooks from Nango, plus the payloads for auth, sync, and async action webhooks.
To process webhooks coming **from external APIs** (not from Nango), see [Process external webhooks](/getting-started/use-cases/webhooks-from-external-apis). To forward external API webhooks through Nango to your app, see [Webhook forwarding](/guides/platform/webhook-forwarding).
## Set up webhooks from Nango
Webhook settings in Nango are specific to each [environment](/guides/platform/environments).
To subscribe to Nango webhooks:
1. Set up a `POST` endpoint in your app to receive the Nango webhooks
2. Input the endpoint's URL in your *Environment Settings*, under *Webhook URLs* ([direct link for your dev environment](https://app.nango.dev/dev/environment-settings#notification))
3. Implement [verify incoming webhooks](#verifying-webhooks-from-nango) to ensure sure only authentic Nango webhooks are processed
4. Implement processing logic for each [webhook type](#types-of-nango-webhooks) from Nango you want to handle
* Make sure your processing logic handles the webhooks you have enabled in the environment settings
You can configure up to two webhook URLs per environment. Nango webhooks will be sent to both.
To test webhooks locally, use a webhook forwarding service like [ngrok](https://dev.to/mmascioni/testing-and-debugging-webhooks-with-ngrok-4alp), or [webhook.site](https://webhook.site/).
## Verifying webhooks from Nango
Validate webhooks from Nango by looking at the `X-Nango-Hmac-Sha256` header.
It's an HMAC-SHA256 hash of the webhook payload, using the webhook signing key found in **Environment Settings > Webhooks > Signing key** in the Nango UI.
Nango webhook requests include an `X-Nango-Hmac-Sha256` header for secure verification. A legacy `X-Nango-Signature` header (using plain SHA-256) is also sent for backwards compatibility but should not be used. If you're currently using `X-Nango-Signature`, migrate to `X-Nango-Hmac-Sha256` for improved security.
The webhook signature can be generated with the following code:
```typescript theme={null}
async (req, res) => {
const isValid = nango.verifyIncomingWebhookRequest(req.body, req.headers);
}
```
```typescript theme={null}
import crypto from 'crypto';
const secretKeyDev = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx';
const body = // raw request body as string
const hash = crypto.createHmac('sha256', secretKeyDev).update(body).digest('hex');
```
```python theme={null}
import hmac
import hashlib
secret_key_dev = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
body = # raw request body as bytes
hash = hmac.new(secret_key_dev.encode('utf-8'), body, hashlib.sha256).hexdigest()
```
```java theme={null}
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
public class Main {
public static void main(String[] args) throws Exception {
String secretKeyDev = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
String body = // raw request body as string
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec(secretKeyDev.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
mac.init(secretKey);
byte[] hashBytes = mac.doFinal(body.getBytes(StandardCharsets.UTF_8));
StringBuilder hexString = new StringBuilder();
for (byte b : hashBytes) {
hexString.append(String.format("%02x", b));
}
String hash = hexString.toString();
}
}
```
```ruby theme={null}
require 'openssl'
secret_key_dev = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
body = # raw request body
hash = OpenSSL::HMAC.hexdigest('SHA256', secret_key_dev, body)
```
```go theme={null}
package main
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"io"
"net/http"
)
func main() {
secretKeyDev := "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
var body []byte // raw request body
h := hmac.New(sha256.New, []byte(secretKeyDev))
h.Write(body)
hash := hex.EncodeToString(h.Sum(nil))
}
```
```rust theme={null}
use hmac::{Hmac, Mac};
use sha2::Sha256;
type HmacSha256 = Hmac;
let secret_key_dev = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
let body = // raw request body as string or bytes
let mut mac = HmacSha256::new_from_slice(secret_key_dev.as_bytes()).unwrap();
mac.update(body.as_bytes());
let hash = format!("{:x}", mac.finalize().into_bytes());
```
```php theme={null}
```
Only accept a webhook if the `X-Nango-Hmac-Sha256` header value matches the webhook signature.
## Types of Nango webhooks
New Nango webhook types are added regularly, without considering this a breaking change. Your webhook handling logic should gracefully support receiving new types of webhooks by simply ignoring them.
All webhooks from Nango are POST requests.
The exact webhook type definitions can be found [here](https://github.com/NangoHQ/nango/blob/master/packages/types/lib/webhooks/api.ts).
### Auth webhooks
New connection webhooks have `"type": "auth"` and `"operation": "creation"`. They are sent after a connection has been successfully created.
Payload received following a connection creation:
```json theme={null}
{
"type": "auth",
"operation": "creation",
"connectionId": "",
"authMode": "OAUTH2 | BASIC | API_KEY | ...",
"providerConfigKey": "",
"provider": "",
"environment": "DEV | PROD | ...",
"success": true,
"tags": {
"end_user_id": "",
"end_user_email": "",
"organization_id": ""
}
}
```
Processing webhooks with `"type": "auth"` and `"operation": "creation"` is **necessary**. After a connection is created, these webhooks give you the generated connection ID which lets you access the connection later on.
Use `tags` to reconcile and save the connection ID with the user/org/workspace that initiated the connection.
All `authMode` values can be found [here](https://github.com/NangoHQ/nango/blob/master/packages/types/lib/auth/api.ts). The `authMode` value depends on the `provider` value.
All `operation` values are:
* `creation`: a new connection has been created
* `override`: a connection has been re-authorized
* `refresh`: an OAuth connection's access token has failed to refresh
Payload received following a refresh token error:
```json theme={null}
{
"type": "auth",
"operation": "refresh",
"connectionId": "",
"authMode": "OAUTH2 | BASIC | API_KEY | ...",
"providerConfigKey": "",
"provider": "",
"environment": "DEV | PROD | ...",
"success": false,
"tags": {
"end_user_id": "",
"end_user_email": "",
"organization_id": ""
},
"error": {
"type": "",
"description": ""
}
}
```
Webhooks are only sent for certain connection creation errors. For example, during the OAuth flow, some errors are reported locally in the OAuth modal by the external API. Since Nango does not receive these errors, it cannot trigger a webhook for them.
### Sync webhooks
Sync webhooks are sent when a [sync function](/guides/functions/syncs/sync-functions) execution finishes, whether successful or not.
Payload received following a successful sync execution:
```json theme={null}
{
"type": "sync",
"connectionId": "",
"providerConfigKey": "",
"syncName": "",
"model": "",
"syncType": "INCREMENTAL | INITIAL | WEBHOOK", // DEPRECATED
"success": true,
"modifiedAfter": "",
"responseResults": {
"added": number,
"updated": number,
"deleted": number
}
}
```
`modifiedAfter` is an ISO-8601 timestamp marking the start of the last run. To read the changed records, use cursor-based fetching as described in [Records cache → Cursors and sync progress](/guides/functions/syncs/records-cache#cursors-and-sync-progress).
**Fetch records promptly**: Due to Nango's [data retention policies](/guides/platform/security#synced-records-retention), you should fetch and store synced records in your own system promptly after receiving webhook notifications. Records not updated for 30 days will have their payload pruned, and sync functions not executed for 60 days will have all records deleted.
By default, Nango sends a webhook even if no modified data was detected in the last sync execution (referred as an "empty" sync), but this is configurable in your *Environment Settings*. In case of an empty sync, the `responseResults` would be:
```json theme={null}
{
"added": 0,
"updated": 0,
"deleted": 0
}
```
Payload received following a failed sync execution:
```json theme={null}
{
"type": "sync",
"connectionId": "",
"providerConfigKey": "",
"syncName": "",
"model": "",
"syncType": "INCREMENTAL | INITIAL | WEBHOOK", // DEPRECATED
"success": true,
"error": {
"type": "",
"description": ""
},
"startedAt": "",
"failedAt": ""
}
```
### External webhook forwarding
Forwarded external webhooks use the same webhook URLs, signing, retries, and logs as other Nango webhooks. See [Webhook forwarding](/guides/platform/webhook-forwarding) for setup, routing behavior, and payload shapes.
## Webhook retries & debugging
Nango retries each webhook with non-2xx responses 2 times with exponential backoff (starting delay: 100ms, time multiple: 2, view details in the [code](https://github.com/NangoHQ/nango/blob/master/packages/webhooks/lib/utils.ts)).
Webhooks time out after 20 seconds.
Each webhook attempt is logged in Nango's [logs](/guides/platform/observability).
You can also use the [OpenTelemetry exporter](/guides/platform/observability#opentelemetry-export) to monitor Nango webhooks in your own observability stack.
**Questions, problems, feedback?** Please reach out in the [Slack community](https://nango.dev/slack).
## Related guides
* [Webhook forwarding](/guides/platform/webhook-forwarding) - forward external provider webhooks through Nango.
* [Webhook functions](/guides/functions/webhook-functions) - process provider webhooks inside Nango.
* [Event functions](/guides/functions/event-functions) - react to connection lifecycle events.
* [Observability](/guides/platform/observability) - monitor webhook operations and retries.