アトラシアン自動化で受信 Webhook トリガーを設定する

In Atlassian Automation, flows can be triggered with an incoming webhook. You can use this trigger if you want to run a flow by sending a web request from another system, such as a third-party application. In the coming months, flows containing incoming webhook triggers will begin to be routed through more secure endpoint. This update is part of our continuous focus to uplift the security and reliability of Atlassian Automation.

Create a new flow with an incoming webhook trigger

All newly created flows that contain the incoming webhook trigger will automatically be routed through the new endpoint. No action is required on your end to prepare these flows for migration.

To create and configure a flow with an incoming webhook:

1. Jira または Confluence で自動化のルールビルダーを開きます。

2. トリガーとして受信 Webhook を選択します。

3. Select an action for your flow, as well as any conditions or branches you may want to add.

4. Turn on your flow. You can also save it as a draft and enable it later.

5. You’ll now be able to see a URL and secret in the trigger step.

6. その URL とシークレットをコピーします。

7. URL とシークレットを接続先のアプリに入力し、X-Automation-Webhook-Token という名前で新しい HTTP ヘッダーを追加します。これを行う方法はアプリによって異なる可能性があるため、ご利用のアプリの手順をご確認ください。ご利用のアプリでカスタム HTTP ヘッダーがサポートされていない場合、URL の末尾にスラッシュを挿入し、それに続けてシークレットを追加できます。たとえば、https://URL/SECRET のようにします。これにより、HTTP ヘッダーが不要になります。ただし、シークレットのセキュリティ強化のため、可能な場合はヘッダーを使うことをおすすめします。

8. You can verify if the URL successfully triggered your flow by visiting the audit log after it runs.

Update an existing flow containing an incoming webhook trigger

Flows created before 28 January 2025 will work normally until 30 May 2025, however for these flows to continue working after this date, you'll need to make the changes in the applications to migrate to the new endpoint. The legacy endpoint will no longer be available to trigger your flows as of 30 May 2025.

To migrate existing flows to the new endpoint:

1. Open the automation flow list in Jira or Confluence.

2. Click on the ‘Trigger' filter and select the ‘Incoming webhook’ filter. All flows triggered by an incoming webhook will be shown. These flows need to be updated before 30 May 2025.

3. Within these filtered flows, any which have recently been triggered through a legacy webhook will have a warning icon next to their name. This shows which flows are actively using the legacy URL.

4. Open one of the flows with a warning icon in the rulebuilder.

5. Select the trigger step.

6. 新しい URL とシークレットをコピーします。

7. Enter the new URL and secret into your connected application, and add a new HTTP header with the name X-Automation-Webhook-Token. The method to do this can vary between applications, so you may need to check what the instructions are for your application. If your application does not support custom HTTP headers, you can instead insert a slash at the end of the URL and add the secret after this. For example, https://URL/SECRET. This will allow you to update your flows without the need for a HTTP header. However, we recommend using the header if possible, as it provides more security for your secret.

8. You can verify if the new URL successfully triggered your flow by visiting the audit log after it runs.

9. Repeat the above steps for all flows containing an incoming webhook trigger.

You'll need to manually update all flows containing the incoming webhook trigger, and make changes in their connected applications, as running bulk actions to do so is not possible in this migration.

Webhook リクエストの認証の仕組み

When a new webhook trigger is created, a unique token is automatically generated. Only incoming HTTP requests that present that token will actually trigger the flow. We recommend you keep this token private, so no one else can trigger your flows using a webhook. The token does not have an expiry date. If you suspect your token may have been compromised, you can click the Regenerate button to immediately invalidate the previous token and generate a new one. If you do that, please note that you will have to quickly update the token in all your connected applications.

受信 Webhook が機能していることを確認するには

You can perform a quick check by triggering a webhook event and sending a POST request, via cURL or POSTMAN, to check if that triggers your flow. To check with any of the methods below, first:

1. Open your flow in the rulebuilder.

2. 受信 Webhook トリガーを選択します。

3. Webhook の URL とシークレットをコピーします。

cURL を使用して確認するには次の手順を実行します。

1 2 curl -X POST -H 'Content-type: application/json' -H 'X-Automation-Webhook-Token: <Add you secret here>' \ <Insert_webhook_URL>

Executing the above cURL command in a terminal will return a null. After that, you can check the audit log to see if the flow has run.

POSTMAN を使用して確認するには次の手順を実行します。

1. リクエスト タイプを POST に変更します。

2. Webhook の URL を URL セクションに貼り付けます。

3. X-Automation-Webhook-Token というヘッダーと、シークレットに設定された値を指定します。

4. [送信] を選択します。

5. [ステータス] に、POST リクエストが成功したことを示す 200 応答コードが表示されるはずです。

6. Check the automation audit log to make sure the flow has run successfully.

If the flow is triggered using any of the above methods, it will give you a confirmation that the incoming webhook step is working as expected.

We’ll release further updates over the next few months, which will make it easier for you to prepare for this upcoming change. These will be announced via email, community post and release notes. Information about these updates will also be added to this page once they’re available. In the meantime, if you’d like further assistance, you can contact support.