Set up webhooks from Nango

Webhook settings in Nango are specific to each environment.
To subscribe to Nango webhooks:
  1. Set up a POST endpoint in your app to receive the Nango webhooks
  2. Input the endpoint’s URL in your Environment Settings, under Webhook URLs (direct link for your dev environment)
  3. Implement verify incoming webhooks to ensure sure only authentic Nango webhooks are processed
  4. Implement processing logic for each webhook type from Nango you want to handle
    • Make sure your processing logic handles the webhooks you have enabled in the environment settings
You can configure up to two webhook URLs per environment. Nango webhooks will be sent to both. To test webhooks locally, use a webhook forwarding service like [ngrok](https://dev.to/mmascioni/testing-and-debugging-webhooks-with-ngrok-4alp, or webhook.site.

Verifying webhooks from Nango

Validate webhooks from Nango by looking at the X-Nango-Signature header. It’s a SHA-256 hash of the webhook payload with the secret key, found in the Environment Settings in the Nango UI, prepended. The webhook signature can be generated with the following code: 
async (req, res) => {
    const signature = req.headers['x-nango-signature'];
    const isValid = nango.verifyWebhookSignature(signature, req.body);
}
Only accept a webhook if the X-Nango-Signature header value matches the webhook signature.

Types of Nango webhooks

New Nango webhook types are added regularly, without considering this a breaking change. Your webhook handling logic should gracefully support receiving new types of webhooks by simply ignoring them.
All webhooks from Nango are POST requests. The exact webhook type definitions can be found here.

Auth webhooks

New connection webhooks have "type": "auth" and "operation": "creation". They are sent after a connection has been successfully created. Payload received following a connection creation: 
{
    "type": "auth",
    "operation": "creation",
    "connectionId": "<your-connection-id>",
    "authMode": "OAUTH2 | BASIC | API_KEY | ...",
    "providerConfigKey": "<your-integration-id>",
    "provider": "<your-provider-key>",
    "environment": "DEV | PROD | ...",
    "success": true,
    "endUser": { 
        "endUserId": "<your-end-user-id>", 
        "organizationId": "<your-organization-id>"
    }
}
Processing webhooks with "type": "auth" and "operation": "creation" is necessary. After a connection is created, these webhooks give you the generated connection ID which lets you access the connection later on.Use the values of endUser.endUserId (and optionally endUser.organizationId) to reconcile and save the connection ID with the user/org who initiated the connection.
All authMode values can be found here. The authMode value depends on the provider value. All operation values are:
  • creation: a new connection has been created
  • override: a connection has been re-authorized
  • refresh: an OAuth connection’s access token has failed to refresh
Payload received following a refresh token error: 
{
    "type": "auth",
    "operation": "refresh",
    "connectionId": "<your-connection-id>",
    "authMode": "OAUTH2 | BASIC | API_KEY | ...",
    "providerConfigKey": "<your-integration-id>",
    "provider": "<your-provider-key>",
    "environment": "DEV | PROD | ...",
    "success": false,
    "endUser": { 
        "endUserId": "<your-end-user-id>", 
        "organizationId": "<your-organization-id>"
    },
    "error": {
        "type": "<string>",
        "description": "<string>"
    }
}
Webhooks are only sent for certain connection creation errors. For example, during the OAuth flow, some errors are reported locally in the OAuth modal by the external API. Since Nango does not receive these errors, it cannot trigger a webhook for them.

Sync webhooks

Sync webhooks are sent when a sync execution finishes, whether successful or not. Payload received following a successful sync execution: 
{
    "type": "sync",
    "connectionId": "<your-connection-id>",
    "providerConfigKey": "<your-integration-id>",
    "syncName": "<your-sync-script-name>",
    "model": "<your-model-name>",
    "syncType": "INCREMENTAL | INITIAL | WEBHOOK",
    "success": true,
    "modifiedAfter": "<timestamp>",
    "responseResults": {
        "added": number,
        "updated": number,
        "deleted": number
    }
}
The modifiedAfter is an ISO-8601 format string (e.g. 2025-05-21T18:52:49.838Z) that represents the start time of the last sync. When the webhook target application receives this payload, it should store this value against the connectionId as a “bookmark”. On the next sync webhook event, use the stored bookmark to retrieve the changed records and store the new modifiedAfter as the next bookmark. This mechanism ensures that no deltas are missed. By default, Nango sends a webhook even if no modified data was detected in the last sync execution (referred as an “empty” sync), but this is configurable in your Environment Settings. In case of an empty sync, the responseResults would be: 
{
    "added": 0,
    "updated": 0,
    "deleted": 0
}
The syncType possible values are:
  • INITIAL: for the very first execution of a sync.
  • INCREMENTAL: for subsequent executions of a sync.
  • WEBHOOK: when an external API webhooks triggers the execution of the sync’s onWebhookPayloadReceived function.
Payload received following a failed sync execution: 
{
    "type": "sync",
    "connectionId": "<your-connection-id>",
    "providerConfigKey": "<your-integration-id>",
    "syncName": "<your-sync-script-name>",
    "model": "<your-model-name>",
    "syncType": "INCREMENTAL | INITIAL | WEBHOOK",
    "success": true,
    "error": {
        "type": "<string>",
        "description": "<string>"
    },
    "startedAt": "<timestamp>",
    "failedAt": "<timestamp>"
}

External webhook forwarding

Webhooks forward from external APIs have the following JSON body: 
{
   "from": "hubspot",
   "type": "forward",
   "connectionId": "<CONNECTION-ID>",
   "providerConfigKey": "<INTEGRATION-ID>",
   "payload": ... // Raw payload from Hubspot webhook
}

Webhook retries & debugging

Nango retries each webhook with non-2xx responses 7 times with exponential backoff (starting delay: 100ms, time multiple: 2, view details in the code). Each webhook attempt is logged in Nango’s logs. You can also use the OpenTelemetry exporter to monitor Nango webhooks in your own observability stack.
Questions, problems, feedback? Please reach out in the Slack community.