docs(workflows): document the webhook trigger (PRD-186)#11
docs(workflows): document the webhook trigger (PRD-186)#11christophebrun-forest wants to merge 3 commits into
Conversation
Add end-to-end documentation for the workflow webhook trigger: - New API reference page for the trigger endpoint: copied webhook URL, Bearer application-token auth, JSON body, 202/4xx/409/429 responses, idempotency and per-webhook rate limiting. - New no-code page covering the Process-section triggers (Manual vs Webhook), URL copy, token management, URL regeneration and revocation. - Wire both pages into the navigation, the API endpoints table, the workflows overview and the execute page. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
| |---|---|---| | ||
| | **Disable the Webhook toggle** | Turns the trigger off. URL and token are unchanged. | `404` | | ||
| | **Generate a new URL** | Invalidates the current URL. | `400` (old URL) | | ||
| | **Invalidate / expire the token** | Done by the token's user, from account settings. | `401` | |
There was a problem hiding this comment.
🟡 Medium workflows/triggers.mdx:66
The docs say to invalidate or expire the application token "from account settings," but tokens are actually managed under Project Settings > API Access, not account settings. A user following these instructions will look in the wrong place and be unable to promptly revoke a compromised webhook token. Correct the location reference so users can find the token management UI quickly.
| | **Invalidate / expire the token** | Done by the token's user, from account settings. | `401` | | |
| | **Invalidate / expire the token** | Done by the token's user, from `Project Settings > API Access`. | `401` | |
🚀 Reply "fix it for me" or copy this AI Prompt for your agent:
In file @product/process/workflows/triggers.mdx around line 66:
The docs say to invalidate or expire the application token "from account settings," but tokens are actually managed under `Project Settings > API Access`, not account settings. A user following these instructions will look in the wrong place and be unable to promptly revoke a compromised webhook token. Correct the location reference so users can find the token management UI quickly.
There was a problem hiding this comment.
Dismissing this one: the workflow webhook trigger authenticates with an API token managed in Account Settings, which is a different scope from the public-API tokens under Project Settings > API Access. So invalidating the token from account settings is correct here. The canonical authentication.mdx also documents token creation under Account Settings.
The other three comments were addressed in 508884f (moved the endpoint out of the public-API table into a Note, added a response.ok check to the Node.js example, and scoped the "safe to retry" guidance to in-flight runs).
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
- clarify that a superseded/regenerated URL returns 400 in the errors table - align the revocation table button label with "Generate new URL" Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- move the webhook endpoint out of the public API table into a Note, since its URL does not follow the base URL + path convention - check response.ok in the Node.js example before parsing the body - scope the "safe to retry" guidance to in-flight runs only Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
|
||
| ### Authentication | ||
|
|
||
| All requests require a Forest **application token** in the `Authorization` header, presented with the Bearer scheme. Generate one from [your account settings](https://app.forestadmin.com/user-settings). |
There was a problem hiding this comment.
🟡 Medium endpoints/trigger-workflow-webhook.mdx:20
The documentation contradicts itself on how authentication works. The "Authentication" section says any Forest application token whose user can reach the rendering will work (lines 26–32), but the "Revoking access" section says expiring "the" application token makes webhook calls return 401 (line 149). Both cannot be true: if any valid user token works, expiring one token would not revoke access because the caller could switch to another valid token. This leads integrators to set up the wrong credentials and provides false revocation guidance. The page should state that callers must use a specific token associated with the webhook, or clarify what "the application token" refers to.
🚀 Reply "fix it for me" or copy this AI Prompt for your agent:
In file @reference/api/endpoints/trigger-workflow-webhook.mdx around line 20:
The documentation contradicts itself on how authentication works. The "Authentication" section says any Forest application token whose user can reach the rendering will work (lines 26–32), but the "Revoking access" section says expiring "the" application token makes webhook calls return `401` (line 149). Both cannot be true: if any valid user token works, expiring one token would not revoke access because the caller could switch to another valid token. This leads integrators to set up the wrong credentials and provides false revocation guidance. The page should state that callers must use a specific token associated with the webhook, or clarify what "the application token" refers to.
What
Documents the workflow webhook trigger shipped in PRD-186 (docs task tracked by PRD-616 · S11).
New pages
reference/api/endpoints/trigger-workflow-webhook.mdx— the external HTTP contract: the webhook URL is copied from the workflow's trigger settings (not assembled from IDs, no hard-coded host), Bearer application-token auth doubling as execution identity, JSON body (record_id, composite PKs),202+runId, full response table (400/401/403/404/409/429), idempotency (single-run-per-record409, no resume, retry-safe) and per-webhook rate limiting (429+Retry-After).product/process/workflows/triggers.mdx— no-code page: Manual vs Webhook triggers, enabling the webhook, URL copy + token management (expiry / invalidate / regenerate), URL regeneration flow, the three revocation levers, and audit (webhook-triggered).Updates
docs.json— new pages added to the Workflows and Endpoints nav groups.reference/api/introduction.mdx— endpoint added to the endpoints table.product/process/workflows/overview.mdx— new "Triggering workflows" section + card.product/execute/workflows.mdx— mention of the webhook trigger.images/workflows/— two screenshots for the no-code page.Open points
api.forestadmin.compublic-API base referenced inintroduction.mdx.🤖 Generated with Claude Code
Note
Document the workflow webhook trigger and its API endpoint
POST <webhook_url>, documenting authentication, request body, async execution, idempotency (409), rate limiting (429), and all error statuses.Macroscope summarized 508884f.