Webhooks are how you turn n8n workflows into callable endpoints. In this guide, we’ll cover what they are, how to test vs. run in production, the main HTTP methods (GET/POST/PATCH/DELETE/PUT/HEAD), returning responses, locking things down with authentication (Basic, Header/API-Key/Bearer, JWT), and hardening options like CORS, IP allowlists, and more.
If you’re following along with the video, you can recreate the demo using Supabase for a simple contacts table and Postman/cURL for requests. A SQL placeholder is included below—paste your script there when ready.
What is a webhook in n8n?
An n8n Webhook node exposes an HTTP endpoint that can receive data (query params, headers, body including JSON/form/binary) and trigger a workflow. It can also return data either immediately or after other nodes finish—effectively letting you build lightweight API endpoints.
Two URLs per webhook:
Test URL (for development) — use while building; receive data directly in the Editor UI. It’s active only while you’re listening, and listens for ~120 seconds.
Production URL (for live use) — requires the workflow to be Active (toggled on).
Test vs Production: how they behave
Test URL only triggers the Webhook node; it’s great for capturing sample payloads while you map fields downstream. Click Listen for test event to make it live.
Production URL runs the whole workflow and can return data depending on your response settings (explained below).
Tip: If you self-host behind a reverse proxy or load balancer, ensure your Production URL is correctly exposed end-to-end (HTTPS recommended). If you switch between URLs and see odd behaviour, double-check your environment and any reported bugs for your n8n version.
HTTP methods you can use
n8n’s Webhook supports: GET, POST, PATCH, DELETE, PUT, HEAD. Use them as you would in a typical REST flow (GET for reads, POST for creation,
