← All Articles
automation

Why Isn't My Webhook Working?

The Complete Guide to Troubleshooting Webhooks, API Errors, and Integration Failures

Why Isn't My Webhook Working?
From NewMotion

Need Help Fixing a Broken Webhook Integration?

We design and troubleshoot API and webhook integrations so data moves reliably between your business systems. Book a free call.

Webhooks are the invisible glue connecting modern business software. Every day they move new leads, customer information, payments, invoices, appointments, support tickets, CRM updates, and inventory changes between dozens of different applications, usually without anyone thinking about them at all until something goes wrong.

When a webhook stops working, entire business processes stop working with it. Customers do not get their emails. Leads disappear before a sales rep ever sees them. Orders never sync to fulfillment. Invoices are never created. Most people assume the webhook itself is broken. In reality, the webhook is usually doing exactly what it was designed to do. The problem is somewhere else in the chain. This guide walks through the exact troubleshooting process we use to diagnose webhook failures for businesses.

188What Is A Webhook?

What is a webhook: an automated message sent from one application to another the moment a specific event happens, moving data in real time between business systems without manual intervention

A webhook is an automated message sent from one application to another the moment something specific happens. A customer submits a form, the form platform sends a webhook, a CRM receives it and creates a contact, that new contact triggers a downstream automation, and a sales rep gets notified, all within seconds and without anyone manually moving the data between systems.

This is different from a standard API call, which is a request one system deliberately makes to another when it wants information, and different again from polling, where a system periodically checks another system for changes on a schedule rather than being told immediately when something happens. Webhooks are event-driven: the sending application pushes data out the instant the triggering event occurs, rather than waiting to be asked.

189How A Webhook Works

The full path a webhook takes looks like this: an event happens inside the sending application, the application sends the webhook, that request travels across the internet, it arrives at a receiving server, that server authenticates the request, validates the payload it received, runs whatever business logic is supposed to happen next, and sends a response back indicating success or failure. A breakdown at any single point in that chain, not just at the two ends, can cause the entire integration to fail, often without an obvious explanation to whoever is looking at it from the business side.

190The 12 Most Common Reasons A Webhook Isn't Working

The 12 most common reasons a webhook isn't working: incorrect URL, 401 authentication failure, 403 permission error, 404 not found, 400 bad request, 500 server error, invalid JSON payload, missing headers, SSL certificate problems, request timeout, payload validation failure, and third-party platform issues

1. The Webhook URL Is Incorrect

A webhook pointed at the wrong endpoint will never reach its intended destination, and this happens more often than it should: a development or staging URL accidentally left in a production configuration, an endpoint that was deleted or moved when a system was updated, or a simple typo in a URL that was copied and pasted by hand. Verifying the exact URL currently configured on the sending side, character by character, against the actual live endpoint on the receiving side is the first thing to check before assuming anything more complicated is wrong.

2. Authentication Failed (401 Unauthorized)

A 401 response means the receiving server does not recognize the request as coming from an authorized source. This typically happens with an expired API key, an expired or improperly refreshed bearer token, an OAuth connection that lost its authorization, a JWT token that has passed its expiration time, or an authentication header that was simply never included in the request. Regenerating the credential, confirming it is being sent in the exact header format the receiving API expects, and testing that specific request in isolation resolves the majority of 401 errors.

3. Permission Errors (403 Forbidden)

A 403 response means the request reached the server and was correctly authenticated, but the authenticated account or token is not allowed to perform the specific action it attempted. This is a narrower problem than a 401 and usually points to missing scopes on an API token, incorrect permissions on the user or integration account, a role restriction inside the receiving application, or an API key that was issued with a more limited set of permissions than the integration actually needs.

4. Resource Doesn't Exist (404 Not Found)

A 404 means the server received the request but could not find whatever it was pointed at. Common causes include an endpoint that was deleted or renamed, an incorrect route or path in the webhook configuration, an API version change where the old endpoint path no longer exists, a trailing slash inconsistency between what was configured and what the API expects, or a request accidentally pointed at a sandbox or development environment instead of the live production environment.

5. Bad Request (400 Error)

A 400 response means the server understood where the request was going but rejected the request itself, usually because of malformed JSON, a required field that was missing entirely, a value submitted as the wrong data type, such as a number sent as text, invalid formatting in a specific field, or an unexpected value the receiving API's validation rules do not accept. The error message attached to a 400 response frequently identifies the exact field that caused the rejection, which is the fastest place to start looking rather than reviewing the entire payload from scratch.

6. Internal Server Errors (500 Errors)

A 500 error means the request itself was valid, but the receiving application failed while trying to process it. This is on the receiving side, not the sender's. Common causes include a server crash, a database failure on the receiving end, a bug in the receiving application's own code, or a temporary outage. There is generally very little the sending side can do to directly fix a 500 error beyond confirming the payload was correctly formed and then retrying, since the failure is happening inside the system that received the request.

7. Invalid JSON Payload

Webhook payloads are almost always sent as JSON, and JSON is unforgiving about syntax. A missing comma, mismatched quotes, unbalanced brackets, a malformed array or object, or an incorrect character encoding can make an entire payload unreadable to the receiving server, even if every individual value inside it is otherwise correct. Running the exact payload through a JSON validation tool before troubleshooting anything else quickly rules out or confirms this as the cause.

8. Missing Headers

APIs frequently reject requests outright if certain headers are missing, regardless of whether the payload itself is valid. The Authorization header carries authentication credentials. The Content-Type header tells the receiving server what format the payload is in, most commonly application/json. The Accept header indicates what response format the sender expects back. And the User-Agent header identifies the calling application, which some APIs use as part of their own filtering or logging. A request missing any of these can fail even when everything else about it is correctly configured.

9. SSL Certificate Problems

Modern APIs generally require HTTPS, and an expired certificate, an invalid or misconfigured certificate, a self-signed certificate that the sending system does not trust, or mixed content issues where secure and insecure resources are combined on the same endpoint can all cause a webhook delivery to fail before the request payload is ever evaluated. This class of failure often produces a connection-level error rather than a standard HTTP status code, which is a useful signal that the problem is happening before the request even reaches the application layer.

10. Request Timeout

Every API enforces some limit on how long it will wait for a response before giving up. A long-running process on the receiving end, a slow server, an unusually large payload that takes longer than normal to transmit and process, or simply hitting a strict timeout threshold can all cause a request that would have eventually succeeded to fail purely on time. Optimizing how quickly the receiving endpoint responds, and understanding how the sending system handles retries after a timeout, both matter here.

11. Payload Validation Failed

A payload can be syntactically perfect JSON and still get rejected because it fails a business rule the receiving application enforces: a required field that is technically present but exceeds a maximum length, formatting that does not match what a specific field expects, a business rule the payload violates, or duplicate validation logic on the receiving end intentionally rejecting a record it considers already processed. This is a step beyond basic JSON validity, and it is worth checking the receiving application's specific validation rules, not just whether the JSON itself parses correctly.

12. Third-Party Platform Issues

Sometimes the problem is not on either side of the integration you built. It is a vendor outage, scheduled API maintenance, a rate limit being enforced on the platform's end, or a version change to an API that broke compatibility with an integration built against an earlier version. Checking a platform's public status page, and reviewing its changelog for recent API updates, is worth doing before assuming the fault lies entirely within your own configuration.

191Understanding HTTP Status Codes

The status code attached to a webhook response is usually the fastest starting point for diagnosis. 200 OK and 201 Created both indicate success, with 201 specifically confirming that a new resource was created. 202 Accepted means the request was received and will be processed, but not necessarily completed yet. 204 No Content confirms success with no response body returned. 400 Bad Request means the request itself was malformed. 401 Unauthorized means authentication failed or was missing entirely. 403 Forbidden means authentication succeeded but the action itself is not permitted. 404 Not Found means the endpoint does not exist at the address the request was sent to. 409 Conflict typically means the request contradicts the current state of the resource, such as attempting to create something that already exists. 422 Unprocessable Entity means the request was well formed but failed a business validation rule. 429 Too Many Requests means a rate limit was hit. 500 Internal Server Error means the receiving application failed while processing an otherwise valid request. 502 Bad Gateway and 504 Gateway Timeout both point to a problem with an intermediary server or proxy sitting between the sender and the final destination. And 503 Service Unavailable typically means the receiving server is temporarily overloaded or down for maintenance. Knowing which category a given error falls into, client-side (400 range) versus server-side (500 range), immediately narrows down where to look next.

192How We Troubleshoot Webhooks

We follow the same sequence on every webhook issue we investigate. Review the specific event in question rather than assuming it behaves like every other event the integration has processed. Verify the URL configured on the sending side matches the actual live endpoint exactly. Check authentication, confirming credentials are current and formatted correctly. Inspect every header included in the actual request, not just the ones assumed to be present. Validate the JSON payload independently of the rest of the troubleshooting process. Review API logs on whichever side exposes them. Review server logs on the receiving application if you have access to them. Send a test payload directly to isolate the failure from the live business process that normally triggers it. Monitor the actual response returned, including its status code and any error detail. And only then implement a fix aimed at the confirmed root cause, rather than a change based on an assumption about what was probably wrong.

193The Best Tools For Testing Webhooks

Postman

Postman is built for testing API requests generally, and that makes it well suited to webhook testing too. It lets you construct a request with specific headers, authentication, and a payload, send it directly to an endpoint, and inspect exactly what comes back, which isolates a webhook failure from the live system that would normally trigger it.

webhook.site

webhook.site generates a temporary public URL that captures and displays every incoming request sent to it, including full headers and the raw payload body. It is one of the fastest ways to confirm exactly what a sending platform is actually transmitting, which is often different from what its own documentation describes.

RequestBin (Now Part Of Pipedream)

The original standalone RequestBin was discontinued and now operates as a feature inside Pipedream's workflow automation platform. It still works for capturing and inspecting incoming webhook payloads, though it now sits inside a broader automation product rather than functioning as the simple, standalone inspector it once was.

ngrok

ngrok creates a secure, public tunnel to a local development server, which makes it possible to receive and test real webhook deliveries against code still running on a developer's own machine, before anything is deployed to a live server.

JSONLint

JSONLint and similar JSON validation tools check whether a payload is syntactically valid JSON, immediately flagging missing commas, unbalanced brackets, or malformed structure. Running a suspect payload through a validator is one of the fastest ways to rule out, or confirm, invalid JSON as the cause of a failure.

Browser Developer Tools

For webhooks triggered by an action on a web page, a browser's built-in developer tools let you inspect the actual network requests being sent in real time, which is useful for catching issues before a request even leaves the browser.

API Documentation

None of the tools above replace comparing an actual request against the receiving platform's official API documentation. Documentation defines exactly what headers, authentication method, and payload structure a given endpoint expects, and a request that looks reasonable can still fail simply because it does not match what the documentation specifies.

194Common Webhook Mistakes Businesses Make

The recurring issues we see across webhook integrations include hardcoded URLs that break the moment an endpoint changes, no monitoring in place to catch failures as they happen, no logging that would make a failure easy to diagnose after the fact, no retry strategy for transient failures like a brief timeout, poor or nonexistent documentation of what a given webhook does and what it depends on, credentials that were never rotated and eventually expired, no validation of incoming or outgoing payloads, no defined error handling, no regular testing once an integration was originally built, and no version control tracking changes made to the integration over time. None of these mistakes causes a failure by itself on day one. Combined, and left unaddressed for months or years, they are what turns an occasional webhook failure into a recurring, hard to diagnose operational problem.

195How To Build Reliable Webhook Integrations

Validate incoming data before acting on it rather than assuming every payload will arrive exactly as expected. Authenticate every request rather than trusting the source based on the URL alone. Log every webhook received, including ones that fail, so a future investigation has something to work from. Return proper HTTP responses that accurately reflect what actually happened, since a sending platform's own retry behavior often depends on the specific status code it receives back. Monitor for failures actively rather than discovering them when a customer or team member reports something missing. Implement retries for the specific class of errors that are genuinely transient, without blindly retrying errors that will fail identically every time. Document every endpoint, including what triggers it and what it expects to receive. Version APIs deliberately so a future change does not silently break every integration built against the previous version. Test regularly, not just at the time an integration was first built. And design the entire integration assuming failure will happen at some point, rather than assuming it will run perfectly forever.

196When The Problem Isn't The Webhook

In a large share of the cases we are brought in on, the webhook itself was never actually broken. The real issue is poor API design that makes correct integration unnecessarily difficult, weak or inconsistent authentication practices, a business process that changed without the integration changing alongside it, missing documentation that makes correct configuration a matter of guesswork, systems that were never designed with each other in mind, or an integration architecture that was fragile from the start regardless of which specific webhook happens to be failing this week. Webhooks expose problems that already existed in the surrounding system. They rarely create those problems on their own.

197Why Businesses Reach Out To Us About This

Many of the businesses that contact us are convinced they have a single webhook problem. After reviewing their systems, the issue is usually much larger than one endpoint. We commonly find broken API integrations that were never fully tested against real-world data, missing or improperly maintained authentication, workflow design that made a single point of failure inevitable, business systems that were never designed to work together cleanly, no monitoring in place to catch failures early, and fragile automation architecture that happened to work until the first unexpected change.

Our team helps businesses design API integrations correctly from the start, build custom webhook solutions where an off-the-shelf integration does not cover a specific requirement, troubleshoot automation failures down to their actual root cause, connect business software across the systems a company actually depends on, implement CRM integrations that hold up under real usage, create monitoring systems so failures are caught before a customer notices, improve overall reliability, and modernize operations that have outgrown ad hoc, undocumented integrations. Rather than simply fixing one webhook, we build integration architectures that are secure, scalable, documented, and designed to support long-term business growth.

198If You're Still Stuck

If you have already spent hours trying to figure out why your webhook isn't working, the problem may be bigger than a single endpoint. Whether you need help troubleshooting API integrations, connecting business systems that were never designed to talk to each other, implementing CRM automations correctly, or designing reliable webhook architecture from the ground up, our team can help identify the root cause and build integrations your business can depend on.

199Reliability Is Engineered, Not Achieved By Trial And Error

Most webhook failures are not random. They are caused by authentication issues, invalid payloads, API changes on one side of the integration, poor monitoring, or an integration architecture that was never designed to handle the real world it operates in. The goal is not simply getting a webhook to return a 200 OK response one more time. The goal is building business systems where data moves reliably, securely, and automatically between every application it needs to reach.

Reliable webhook integrations are not built by trial and error. They are engineered through thoughtful API design, strong security, proper validation, comprehensive monitoring, and disciplined testing. Businesses that invest in integration architecture spend less time fixing broken workflows and more time growing the business those workflows are supposed to support.

Frequently Asked Questions

Why isn't my webhook working?+

What does a 400 Bad Request mean?+

What causes a 401 Unauthorized error?+

Why am I getting a 403 Forbidden response?+

What does a 500 Internal Server Error mean?+

How do I test a webhook?+

What is the best webhook testing tool?+

How do I debug webhook requests?+

Why is my API rejecting my webhook?+

From NewMotion

Stop Debugging One Endpoint at a Time. Build Integration Architecture That Holds Up.

Book a free strategy call and we will help you find exactly why your webhook is failing and what your integration architecture actually needs.

Leave a Comment

Ask a Question or Leave a Comment