Webhooks
Learn how webhook actions send event payloads to an external URL when a trigger fires.
Read time 6 minutesLast updated 3 hours ago
You can configure a trigger to send an HTTP request to an external URL when an event is fired. This is called a webhook action. Use webhooks to integrate UGS events with your own backend, third-party APIs, or notification services (for example Slack or Discord) without running Cloud Code. When the trigger fires, the Triggers service sends an HTTP request to the URL you configure, using the method, headers, and body you specify. Use a payload template to shape the request body from the event data. Failed deliveries are stored in the dead letter queue, where you can inspect and replay them.
When to use webhooks
Use a webhook action when you want to:- Notify an external system when a UGS event occurs (for example, player signed up, score submitted, or a scheduled time).
- Forward event data to your own server or a third-party API in a custom format.
- Post notifications to a messaging service (for example Slack or Discord) when players perform key actions.
- Avoid running Cloud Code for simple HTTP callouts.
Webhook configuration
When you create a trigger withactionType: webhookwebhookField | Required | Description |
|---|---|---|
| Yes | The destination URL. Must be a valid HTTP or HTTPS endpoint that resolves to a public IP address. Maximum length 2,048 characters. |
| No | The HTTP method. Supported values: |
| No | HTTP headers as key-value pairs. Maximum 10 entries. Each header name must be ASCII and at most 256 characters. Each header value must not be empty and must be at most 8,192 characters. If |
| Conditional | A template that builds the request body from the event payload. Required when |
actionUrnurn:ugs:webhookNote
The webhook URL must resolve to a public IP address. The Triggers service rejects URLs that point to localhost, private IP ranges, or link-local addresses at the time the trigger is created.
Content types
The following content types are supported for webhook payloads. Set the content type by including aContent-TypeheadersContent type | Payload format |
|---|---|
| Valid JSON. Payload is optional — when omitted, the full event payload is forwarded as-is. |
| XML body. |
| Raw text body. |
| HTML body. |
| URL-encoded key-value pairs separated by |
| Multipart body with boundary lines and |
application/jsonpayloadTemplateAuto-injected headers
The Triggers service automatically adds the following headers to every outbound webhook request. You cannot override theUser-AgentContent-TypeAcceptHeader | Value | Notes |
|---|---|---|
| | Added as default only if not already present in your headers. |
| | Added as default only if not already present in your headers. |
| | Always set; cannot be overridden. |
| Request identifier | A UUID set per-request for tracing purposes. |
| Event ID | The unique ID of the event that fired the trigger. |
| W3C trace context | Included to support distributed tracing on your end, if needed. |
Template syntax
URL, headers, andpayloadTemplate{{ }}Event payload
In all three (URL, headers,payloadTemplate{{.}}{{.fieldName}}{{.playerId}}{{.score}}Note
Template field access (for example ) requires the event payload to be a JSON object. The payload from all UGS events is a JSON object, so this is satisfied automatically for standard event triggers.
{{.playerId}}Event fields in headers
You can use event payload fields in header values, for exampleX-Player-ID: {{.playerId}}X-Score: {{.score}}Using secrets in templates
You can reference secrets stored in Secret Manager inside templates to handle authentication, signature verification, or to inject other sensitive values. The Triggers service resolves secrets at request time, so the raw value is never stored in the trigger configuration. Store each secret in Secret Manager and use its key asSECRET_NAMEFunction | Description | Example |
|---|---|---|
| HMAC-SHA256 signature of the final request body, hex-encoded. Uses the named secret as the shared key. Your backend recomputes the signature using the same shared secret and compares it to verify the request came from Triggers. Computed after the payload template is rendered. | |
| HMAC-SHA512 signature of the final request body, hex-encoded. Uses the named secret as the shared key. Your backend recomputes the signature using the same shared secret and compares it to verify the request came from Triggers. Computed after the payload template is rendered. | |
| Raw secret value. Use for API keys or Basic auth credentials. | |
| Short-lived JWT minted by the Triggers service for the request. Contains | |
projectIdenvironmentIdQuoting and escaping template expressions
Template expressions use double quotes for function argument names:In the Unity Dashboard, enter template expressions exactly as shown above. The Dashboard handles JSON serialization automatically when it submits the form. When configuring via the API or CLI, the template is sent as a JSON string value. Every{{ secret "SECRET_NAME" }}{{ hmac_sha256 "SECRET_NAME" }}
"\"For example, a"X-Signature-256": "{{ hmac_sha256 \"WEBHOOK_SECRET\" }}"
payloadTemplate"payloadTemplate": "{\"token\": \"{{ secret \"VERIFY_TOKEN\" }}\"}"
URL
Use template expressions to inject secrets or event data into the webhook URL.Expression | Description | Example |
|---|---|---|
| Insert the secret value into the URL path or query string. | |
| Insert an event payload field into the URL. | |
Payload template
Use template expressions to build the request body from the event payload.Expression | Description | Example |
|---|---|---|
| Entire event payload as JSON. | |
| Single field from the event payload. | |
| Insert a secret value into the body. | |
"payloadTemplate": "{\"event\": \"score-submitted\", \"data\": {{.}}, \"token\": \"{{ secret \"VERIFY_TOKEN\" }}\"}"
Example webhook trigger
The following example shows how to create a webhook trigger using the API. It sends a POST request when a leaderboard score is submitted, with a JSON body built from the event and an HMAC signature header:Ensure the secret{ "name": "notify-score-webhook", "eventType": "com.unity.services.leaderboards.score-submitted.v1", "actionType": "webhook", "actionUrn": "urn:ugs:webhook", "webhook": { "url": "https://example.com/events", "method": "POST", "headers": { "Content-Type": "application/json", "X-Signature-256": "{{ hmac_sha256 \"WEBHOOK_SECRET\" }}" }, "payloadTemplate": "{\"event\": \"score-submitted\", \"data\": {{.}}}" }}
WEBHOOK_SECRETFilters
You can add a filter to a webhook trigger so the HTTP request is only sent when the filter condition is true. For example, only send when a specific leaderboard is used or when a score is above a threshold.Retries and failed delivery
The Triggers service retries webhook delivery on server errors, timeouts, and rate-limiting responses. It makes up to 3 application-level retries using exponential backoff. After retries are exhausted, the event is stored in the dead letter queue, where you can replay or discard it. Client errors (4xx, except 429) are not retried and are not added to the queue. For the full retry behavior including which status codes are retried and howRetry-After