HTTP Request, APIs and Webhooks
The two key doors of n8n: HTTP Request to call any API and Webhook to catch events from outside.
In this chapter
HTTP Request and Webhook are n8n's two main doors to the outside world: one goes out (you call an API), one catches what comes in (something triggers you). In this chapter you will learn every detail of both — authentication, response handling, pagination, error handling and webhook security — with real examples.
Topics
- HTTP Request: GET, POST, PUT, DELETE
- Auth: API Key, Bearer, OAuth2
- Request body: JSON, form-data, query params
- Response handling and pagination
- Webhook trigger: URLs, secrets, GET/POST
- Webhook response: sync vs async
- Test vs Production webhook URLs
HTTP Request: GET, POST, PUT, DELETE
HTTP Request lets you talk to any REST API. Method depends on intent: read → GET, create → POST, update → PUT/PATCH, delete → DELETE. Expressions work in the URL ({{ $json.id }} for dynamic id). Query Parameters, Headers and Body are separate tabs; in particular, the Content-Type header (application/json vs form-data) must match what the API expects or you get 415.
Authentication: API Key, Bearer, OAuth2
APIs want proof of identity. The three you will meet most: (1) API Key (Header Auth) — set in a header (e.g. X-API-Key), simplest to set up; (2) Bearer Token — 'Authorization: Bearer <token>', the modern default; (3) OAuth2 — when you act on behalf of a user (Google, Slack, Gmail). Set OAuth2 up once in n8n Credentials and token refresh is handled for you. Never leak keys into the URL or body — always use Credentials.
Request body: JSON, form-data, query params
Body must match what the API expects. JSON mode: 'Specify Body' = JSON and write the parameter object — the most common. Form-Encoded (application/x-www-form-urlencoded) for older APIs, form-data for file uploads (binary). Query params are handy for small filters (?status=active&limit=50) but long lists or sensitive data belong in the body.
Response handling and pagination
API responses don't always arrive as expected. A non-200 status throws an error in n8n — use 'Continue On Fail' to keep the flow alive and handle it in the 'On Error' branch. On 429 (rate limit), apply Wait + retry. For pagination, the HTTP Request 'Pagination' tab is essential: pick cursor-based or page-number, and set 'Max Pages' to block infinite loops.
Webhook trigger: URL, secret, GET/POST
The Webhook node generates an endpoint URL (e.g. https://n8n.example.com/webhook/abc123). You hand this URL to an external service (Stripe, GitHub, Typeform, your own backend); on an event the service POSTs to it. Configure HTTP Method (GET/POST), Path (/webhook-name) and Authentication (None / Basic / Header / JWT). Critical: never expose a webhook URL without an auth layer — anyone can spam it.
Test vs Production webhook URLs
The Webhook node shows two URLs: 'Test URL' (active only while you're waiting in the editor — short-lived) and 'Production URL' (permanent while the workflow is Active). Use Test URL during development; switch to Production URL when going live and update the external service's webhook config. The most common mistake: developing with the Test URL and putting it into production — then wondering why nothing fires.
Webhook response: sync vs async
How the webhook replies is controlled by the 'Respond' parameter. 'Immediately' returns 200 OK at receive time and runs the flow in the background — ideal when the caller (Stripe, GitHub) shouldn't wait. 'When Last Node Finishes' waits for the whole flow and returns the last node's output — for integrations that expect a result. 'Using Respond to Webhook Node' lets you return a custom response at any point in the flow — the most flexible option for chatbots and form-style scenarios.
This chapter's workflow (n8n editor view)