Configure the incoming webhook trigger in Atlassian automation

In Atlassian Automation, rules can be triggered with an incoming webhook. You can use this trigger if you want to run a rule by sending a web request from another system, such as a third-party application. In the coming months, rules containing incoming webhook triggers will begin to be routed through more secure endpoint. This update is part of our continuous focus to uplift the security and reliability of Atlassian Automation.

Create a new rule with an incoming webhook trigger

All newly created rules that contain the incoming webhook trigger will automatically be routed through the new endpoint. No action is required on your end to prepare these rules for migration.

To create and configure a rule with an incoming webhook:

1. Open the Automation rulebuilder in Jira or Confluence.

2. Select Incoming webhook as your trigger.

3. Select an action for your rule, as well as any conditions or branches you may want to add.

4. Turn on your rule. You can also save it as a draft and enable it later.

5. You’ll now be able to see a URL and secret in the trigger component.

6. Copy the URL and secret.

7. Enter the URL and secret into your connected application, and add a new HTTP header with the name X-Automation-Webhook-Token. The method to do this can vary between applications, so you may need to check what the instructions are for your application. If your application does not support custom HTTP headers, you can instead insert a slash at the end of the URL and add the secret after this. For example, https://URL/SECRET. This will allow you to bypass the need for a HTTP header. However, we recommend using the header if possible, as it provides more security for your secret.

8. You can verify if the URL successfully triggered your rule by visiting the audit log after it runs.

Update an existing rule containing an incoming webhook trigger

Rules created before 28 January 2025 will work normally until 30 May 2025, however for these rules to continue working after this date, you'll need to make the changes in the applications to migrate to the new endpoint. The legacy endpoint will no longer be available to trigger your rules as of 30 May 2025.

To migrate existing rules to the new endpoint:

1. Open the Automation rule list in Jira or Confluence.

2. Click on the ‘Trigger' filter and select the ‘Incoming webhook’ filter. All rules containing an incoming webhook trigger will be shown.

3. Open one of these rules in the rulebuilder and select the trigger component.

4. Copy the new URL and secret.

5. Enter the new URL and secret into your connected application, and add a new HTTP header with the name X-Automation-Webhook-Token. The method to do this can vary between applications, so you may need to check what the instructions are for your application. If your application does not support custom HTTP headers, you can instead insert a slash at the end of the URL and add the secret after this. For example, https://URL/SECRET. This will allow you to update your rules without the need for a HTTP header. However, we recommend using the header if possible, as it provides more security for your secret.

7. You can verify if the new URL successfully triggered your rule by visiting the audit log after it runs.

8. Repeat the above steps for all rules containing an incoming webhook trigger.

You'll need to manually update all rules containing the incoming webhook trigger, and make changes in their connected applications, as running bulk actions to do so is not possible in this migration.

How can I check the incoming webhook is working?

You can perform a quick check by triggering a webhook event and sending a POST request, via cURL or POSTMAN, to check if that triggers your rule. To check with any of the methods below, first:

1. Open your rule in the rulebuilder.

2. Select the incoming webhook trigger.

3. Copy the webhook URL and secret.

To check using cURL:

1 2 curl -X POST -H 'Content-type: application/json' -H 'X-Automation-Webhook-Token: <Add you secret here>' \ <Insert_webhook_URL>

Executing the above cURL command in a terminal will return a null. After that, you can check the audit log to see if the rule has run.

To check using POSTMAN:

1. リクエスト タイプを POST に変更します。

2. Paste the Webhook URL in the URL section.

3. Include the header X-Automation-Webhook-Token with the value set to your secret.

4. Select Send.

5. [ステータス] に、POST リクエストが成功したことを示す 200 応答コードが表示されるはずです。

6. 自動化の監査ログで、ルールが正常に実行されたことを確認します。

If the rule is triggered using any of the above methods, it will give you a confirmation that the incoming webhook component is working as expected.

We’ll release further updates over the next few months, which will make it easier for you to prepare for this upcoming change. These will be announced via email, community post and release notes. Information about these updates will also be added to this page once they’re available. In the meantime, if you’d like further assistance, you can contact support.