Learning Center

Smoke-Test Your Webhooks Subscriptions

Before you wire a webhook subscription into production, verify that Standard Time® can actually deliver a signed request to an endpoint you control. This guide walks you through registering a subscription, watching a live delivery land on webhook.site, verifying the HMAC signature, and confirming created, deleted, and test-fire events all work — in under 10 minutes.

Flow diagram: Standard Time sends a signed HTTPS POST to webhook.site, which logs the request so you can inspect and verify it
Standard Time® → signed HTTPS POST → webhook.site. Smoke testing confirms delivery, signing, and payload shape before you point a subscription at production infrastructure.

Prerequisites Checklist

Before you start, confirm these three items:

ItemWhat you needWhere to get it
Admin access Rights to open the Tools ribbon's Integration dropdown inside Standard Time®. Your existing login — no special permission beyond normal admin access.
A reachable HTTPS endpoint Somewhere for Standard Time® to POST to. For a smoke test, no setup is required. webhook.site — free, no signup, gives you a unique URL instantly.
Five minutes Time to register a subscription, save a test record, and confirm delivery.
Native webhooks, not Zapier: This guide covers Standard Time®'s built-in webhook subscriptions — a direct HTTPS POST with no third-party platform involved. See the Webhooks Integration guide for the full feature overview, or the Zapier integration if you need two-way automation instead.

Step 1 — Get a Test URL from webhook.site

webhook.site hands you a unique URL and logs every incoming request — headers and body — with no signup or local listener required. It is the fastest way to confirm delivery before pointing a subscription at real infrastructure.

  1. Open webhook.site in a new browser tab.
    Go to https://webhook.site. The page generates a unique URL for you automatically — no account needed.
  2. Copy "Your unique URL."
    It looks like https://webhook.site/d3cb1088-6609-4284-8d11-.... Keep this tab open — incoming requests will appear in the left-hand list as soon as they arrive. webhook.site landing page showing Your unique URL, unique email address, and unique DNS name, with the request list empty and Waiting for the first request
Copy the right URL: Use the URL shown under Your unique URL, not the browser's address bar once you've clicked into a request. The address bar shows a #!/view/... route used by webhook.site's own single-page app — pasting that as your Target URL causes every delivery to fail with a 404.

Step 2 — Register a Webhook Subscription

  1. Open the Tools ribbon → Integration dropdown → Webhooks API.
    In the top ribbon, click the Tools tab. In the Integration panel, click the Integration dropdown and choose Webhooks API. Standard Time Tools ribbon with the Integration dropdown open, showing Google Integration, OData API Key, Webhooks API, and Zapier API Key menu items
  2. Select event type project.created, paste the webhook.site URL, and add the subscription.
    Choose project.created from the Event type dropdown. Paste the URL you copied from webhook.site into Target URL. Leave Auto-generate checked for the secret. Click Add Subscription. Webhook Subscriptions dialog showing the Add Subscription form fields and a list of three active subscriptions — project.created, project.updated, and project.deleted — each with Test and Delete buttons
  3. Copy the secret immediately.
    It is shown once, in a highlighted panel. Copy it now — you'll use it in Step 4 to verify the signature. Standard Time® never displays it again; the list shows *** from now on.

Step 3 — Trigger an Event and Verify Delivery

  1. Save a new project in Standard Time®.
    Any name works — this is just to fire the project.created event you subscribed to.
  2. Switch to the webhook.site tab.
    Within a few seconds, a new entry should appear at the top of the left-hand request list.
  3. Click the new entry and inspect it.
    The right-hand pane shows the request headers — including x-st-webhook-signature — and the raw JSON body, which should contain "event": "project.created" along with the project's fields (ProjectID, ProjectName, and the rest). webhook.site request detail pane showing a delivered POST request with a x-st-webhook-signature header and a JSON body containing event and id fields
Mockup of webhook.site showing a request list with three recent deliveries and a detail pane with headers including x-st-webhook-signature and a JSON body
A successful delivery looks like this — a signed header, a JSON body matching the event type, and the request logged instantly.
Success indicator: Seeing the request arrive with the correct event value and the project's field data confirms your subscription, network path, and payload shape are all correct.

Step 4 — Verify the HMAC Signature

The x-st-webhook-signature header is an HMAC-SHA256 digest of the raw request body, computed with the secret you copied in Step 2. Recomputing it yourself confirms your receiving endpoint can trust the source of incoming requests.

PowerShell — verify a captured payload
# Paste the secret from Step 2 and the raw body from webhook.site
$key   = [System.Text.Encoding]::UTF8.GetBytes("PASTE_YOUR_SECRET_HERE")
$msg   = [System.Text.Encoding]::UTF8.GetBytes('PASTE_RAW_BODY_HERE')
$hmac  = New-Object System.Security.Cryptography.HMACSHA256 @(,$key)
$hash  = $hmac.ComputeHash($msg)
"sha256=" + (($hash | ForEach-Object { $_.ToString("x2") }) -join "")

Run this in PowerShell and compare the output to the x-st-webhook-signature value shown on webhook.site — they should match exactly.

No secret? No header. If you created the subscription without a secret, the x-st-webhook-signature header is omitted entirely rather than sent empty. That's expected — unsigned subscriptions are allowed, but signing is strongly recommended for any endpoint reachable from the public internet.

Step 5 — Test the Delete Event and the Test Button

Two more checks confirm the subscription behaves correctly under the two other event lifecycles it will see in production.

  1. Click the row's Test button in the Webhook Subscriptions dialog.
    This fires a sample payload to webhook.site immediately, without waiting for a real record change — useful for confirming your production endpoint is reachable at any time, not just when a real event happens to occur.
  2. Delete the project you created in Step 3.
    If you also registered a project.deleted subscription, a third request should arrive on webhook.site with a minimal body: { "event": "project.deleted", "id": "..." } — no other fields, since the record no longer exists to query.

Step 6 — Clean Up and Confirm the Feed Stops

  1. Delete the test subscription from the dialog.
    Click Delete next to the project.created row.
  2. Save another project.
    Confirm no further requests arrive on webhook.site. This proves the subscription — not something else — was the source of the earlier traffic, and that deleting it fully stops delivery.
Smoke test passed if: Step 3 produced a signed project.created delivery, Step 4's recomputed signature matched, Step 5 produced both a test-fire delivery and a minimal project.deleted payload, and Step 6 produced no further deliveries after the subscription was removed.

Troubleshooting

Nothing ever arrives on webhook.site

Symptoms: You saved a project, waited, and no request appeared.
Causes and fixes:
  • You copied the browser's address bar (#!/view/...) instead of "Your unique URL" — re-copy from the top of the webhook.site page.
  • The event type doesn't match the action you took — a project.created subscription only fires when a new project is saved, not when an existing one is edited.
  • The subscription's Active column shows off — toggle it back on in the dialog.
  • Give it a few seconds — delivery is asynchronous and usually lands within 5 seconds, occasionally longer under load.

The signature doesn't match

Symptoms: Your recomputed HMAC in Step 4 doesn't equal the x-st-webhook-signature header.
Causes and fixes:
  • You must hash the exact raw request body — any re-formatting, re-indenting, or trailing newline added when you copy/pasted the JSON will change the hash.
  • Double-check you pasted the secret exactly as shown when the subscription was created — it is not shown again, so a typo means starting over with a new subscription.
  • Confirm you're comparing against the x-st-webhook-signature header, not the content-length or another header of similar length.

Request arrives but the body looks wrong

Symptom: The JSON body doesn't contain the fields you expected.
Fix: Confirm the event type on the subscription matches the record type you changed — a timelog.created subscription will never fire for a project save. See the Supported Event Types section of the Webhooks Integration guide for the full field list per entity.

Test button shows an error status

Symptom: Clicking Test in the dialog shows a non-200 status instead of a successful delivery.
Fix: Confirm the Target URL is reachable from the public internet (webhook.site always is) and that it doesn't require authentication — Standard Time® sends a plain HTTPS POST with no credentials beyond the optional HMAC header.

Next Steps — All Webhook & Integration Guides

Your webhook delivery is confirmed. From here you can register subscriptions for any of the 11 record types, wire them into your own infrastructure or an automation platform, and move on to Standard Time®'s other integrations.

Webhooks Integration

The full guide: all 33 event types, HMAC signing details, the subscription dialog, and setup instructions for Power Automate, Zapier, Make, n8n, Jira, and Slack.

Read Guide →

Smoke-Test Power BI OData

The equivalent smoke test for Standard Time®'s OData feed — verify a Power BI connection with one paste-ready query before building dashboards.

Read Guide →

Zapier Integration

Need two-way automation instead of a one-way event feed? Connect Standard Time® to 7,000+ apps and let other apps create or update records back in Standard Time®.

Read Guide →

Smoke-Test Zapier

The equivalent smoke test for Zapier — build a complete two-step Zap and verify it works in both directions before relying on it.

Read Guide →

All Integrations

Webhooks are one of several integration paths. Also available: OData & Power BI, Google Sheets, Google Drive, QuickBooks Online, and AI providers.

Browse Integrations →
Related FAQ: For common questions about webhooks, API keys, and other integrations, see the Integrations & Data FAQ.
Back to Learning Center

Ready to Wire Up Real-Time Notifications?

Start a free 30-day trial and register your first webhook subscription in minutes.

View Pricing Contact Us