How do I test WorkOS webhooks locally?

WorkOS can only POST to a public URL, so you bridge the public internet to your machine. Create a Webhook Relay bucket, paste its endpoint as the webhook URL in the WorkOS Dashboard → Webhooks, then run the relay agent: 'relay forward --bucket workos http://localhost:8080/webhook'. The agent connects outbound, so there are no firewall ports to open and no public IP required.

Can I test a WorkOS webhook on localhost without deploying?

Yes. Inspect the payload first in a free Webhook Bin to see exactly what WorkOS sends, then forward the same events to your local server with the relay agent. You develop and debug your handler entirely on localhost while WorkOS sends live events.

How does WorkOS sign its webhooks?

WorkOS signs each request with an HMAC-SHA256 over the timestamp and raw body, sent in the WorkOS-Signature header as 't= , v1= ' (the same approach as Stripe). Recompute the HMAC with your endpoint secret and compare it in constant time, and reject stale timestamps to prevent replays.

Test WorkOS Webhooks Locally (Receive WorkOS Webhooks on localhost)

You are building a WorkOS integration and you need to watch your handler react to a real event. The problem hits immediately: WorkOS will only POST to a public URL, and your handler is running on localhost:8080. WorkOS has no way to reach it.

The usual workarounds are slow. Deploying to a staging environment for every code change kills your iteration speed. Copying a sample payload out of the docs into curl gives you a guess at the real request, not the exact headers and body WorkOS actually sends. What you really want is to test WorkOS webhooks locally — real events, hitting your local handler, on a URL that does not change every time you restart.

This guide shows how to do exactly that.

Why testing WorkOS webhooks locally is tricky

A webhook is just an HTTP request that WorkOS sends to a URL when something changes. WorkOS lives on the public internet; your dev machine usually does not. It sits behind a router, a corporate firewall, or both, with no public IP and no inbound ports open.

So you need something in the middle: a public endpoint WorkOS can hit that relays each request down to your laptop without you opening a single firewall port. That is what Webhook Relay does — and unlike a random tunnel URL, the endpoint is stable, so you configure WorkOS once and never touch it again.

Step 1: Inspect the real payload with Webhook Bin

Before you write any handler code, find out what WorkOS actually sends. Open the free Webhook Bin — no signup — and you get an instant public URL.

Copy the Webhook Bin URL.
In the WorkOS Dashboard, go to Webhooks, click Create Endpoint, paste the URL, and select the events you want.
Trigger a real event and inspect the captured request.

You will see the full body and every header. The body is JSON with top-level event, id, data and created_at keys. The data object mirrors the resource that changed (a directory user, a group membership, an SSO connection).

Now you know the exact shape of the data before writing a line of code. For more on this approach, see How to test webhooks and What is a webhook.

Step 2: Forward the events to localhost with the relay agent

Once you know the payload, route those same events into your local handler. Sign up for Webhook Relay, install the relay agent (CLI or Docker), and create a bucket — say workos. The bucket gives you a stable public input endpoint.

Start forwarding to your local server:

relay forward --bucket workos http://localhost:8080/webhook

The agent opens an outbound connection to Webhook Relay and streams every incoming request down to http://localhost:8080/webhook. Because the connection is outbound, there are no firewall ports to open and no public IP needed — this works from your laptop, behind a corporate proxy, or inside a Kubernetes cluster. Running in Docker? The same command works in the official webhookrelay/webhookrelayd image. Full details are in the localhost forwarding docs.

Now point the WorkOS webhook at your Webhook Relay endpoint (or create it there from the start), trigger an event, and watch it arrive on localhost.

WorkOS-specific configuration and quirks

A few WorkOS details worth knowing:

Where to add it: the WorkOS Dashboard → Webhooks → Create Endpoint. Each endpoint has its own signing secret.
Events: Directory Sync (dsync.*), SSO connection (connection.*) and other lifecycle events — subscribe only to what you need.
Payload shape: JSON with event, id, data, created_at. Branch on event in your handler.
Respond fast: acknowledge with a quick 2xx; WorkOS retries failed deliveries with backoff.

Step 3: Verify the WorkOS webhook signature

WorkOS signs every request. It computes an HMAC-SHA256 of "{timestamp}.{raw body}" using your endpoint's signing secret and sends it in the WorkOS-Signature header as t=<timestamp>, v1=<signature>. Your handler should split out the timestamp and signature, recompute the HMAC over timestamp + "." + rawBody, and compare in constant time. Reject requests whose timestamp is not recent to stop replays.

To sanity-check an HMAC implementation, paste a captured body, your secret, and the received signature into the free HMAC signature verifier. For language-specific code and the common pitfalls (reading the body after a JSON parser has already consumed it, timing-safe comparison), read Verify a webhook signature.

Replay and iterate

This is where local development gets fast:

Replay from Webhook Relay — past requests are stored on your bucket, so you can resend a captured event against your handler without touching WorkOS at all.
Iterate on your handler by editing code and replaying the same delivery until it behaves correctly. No commits, no pushes, no deploys just to test a single code path.
Keep relay forward running while you work — events stream straight to localhost as you trigger them in WorkOS.

Because the Webhook Relay endpoint is stable, you can stop and restart the agent, reboot your machine, or come back next week — the WorkOS configuration never needs to change.

Get started

Inspect the real payload in the free Webhook Bin — no signup needed.
Create a Webhook Relay account, install the agent, and run relay forward --bucket workos http://localhost:8080/webhook.
Point your WorkOS webhook at the stable endpoint, trigger an event, and watch it hit localhost.

You will be testing real WorkOS events against your local handler in a few minutes — no deploys, no open firewall ports, and a URL you configure exactly once.

Tunnels

Webhooks

User Management