What Are Webhooks?
Webhooks are automated HTTP requests that deliver data to your server the moment something happens. Instead of your application repeatedly asking "any new posts?" (polling), webhooks push the data directly to you in real-time.
When Trump posts on Truth Social, our system immediately sends an HTTP POST request to your specified URL with the post content. Your server receives it instantly — no delays, no missed updates.
Why Use Webhooks?
Real-time Data
Instant delivery. No polling delays. Get data the moment it's available.
Flexible Integration
Connect to any system that accepts HTTP. Build custom workflows, bots, or dashboards.
Automation
Trigger actions automatically — trading alerts, Slack posts, content archiving, and more.
Common Use Cases
- Trading Bots: Analyze post sentiment and execute trades automatically
- Slack/Discord: Forward posts to your team's communication channels
- Content Archiving: Store posts in your own database for analysis
- Custom Dashboards: Build real-time displays for monitoring
- Notification Forwarding: Send SMS or push notifications via your own systems
Before You Start
To use webhooks, you'll need:
- A Pro plan subscription — webhooks are a Pro feature
- A server or service that can receive HTTPS POST requests
- Your endpoint URL must use HTTPS (HTTP is not supported for security)
- Basic familiarity with JSON and HTTP requests
Tip: If you don't have a server, you can use services like webhook.site for testing, or Pipedream for building workflows.
How to Set Up Webhooks
Enable Webhook Notifications
Go to your Dashboard → Notifications and toggle on "Webhook Notifications". This enables the webhook delivery system for your account.
Navigate to Integrations
Go to Dashboard → Integrations. This is where you'll manage your webhook endpoints.
Add Your Webhook Endpoint
Click "Add Endpoint" and enter your webhook URL. The URL must:
- Use HTTPS (required for security)
- Be publicly accessible from the internet
- Accept POST requests with JSON body
- Respond within 30 seconds
Copy Your Secret Key
After adding your endpoint, you'll receive a unique secret key. This key is used to verify that incoming webhooks are genuinely from Follow Trump's Truth.
Implement Signature Verification
On your server, implement HMAC-SHA256 signature verification to ensure incoming requests are authentic. See the code examples below.
Test Your Webhook
In the Integrations page, click the "Test" button next to your endpoint. This sends a sample payload to verify everything works.
Webhook Payload Reference
Every webhook delivery includes the following JSON payload and HTTP headers:
HTTP Headers
| Header | Description |
|---|---|
| Content-Type | application/json |
| X-Ftt-Signature | HMAC-SHA256 signature (hex encoded) |
| X-Ftt-Event | Event type (e.g., post.created) |
| User-Agent | FollowTrumpsTruthWebhook/1.0 |
JSON Payload
{
"event": "post.created",
"data": {
"id": "1ec427d7-ee29-432d-829f-4a17da1e4505",
"content": "Note from President Emmanuel Macron, of France:",
"link": "https://truthsocial.com/@realDonaldTrump/115925848634299232",
"published_at": "2026-01-20T05:47:54.232+00:00",
"categories": [
{
"name": "ForeignPolicy",
"display_name": "Foreign Policy"
}
]
},
"timestamp": "2026-01-20T05:48:06.179Z"
}Fields:
event— The event type (currently only "post.created")data.id— Unique identifier for the post (UUID)data.content— The full text content of the postdata.link— Direct link to the original Truth Social postdata.published_at— When the post was published (ISO 8601 with timezone)data.categories— Array of categories assigned to the posttimestamp— When the webhook was sent (ISO 8601)
Verifying Signatures
Always verify the X-Ftt-Signature header to ensure webhooks are genuinely from us and haven't been tampered with.
Security Warning: Never skip signature verification in production! Without it, anyone could send fake webhooks to your endpoint.
How It Works
- Compute an HMAC-SHA256 hash of the raw request body using your secret key
- Compare the computed hash with the
X-Ftt-Signatureheader value - If they match, the webhook is authentic
Code Examples
Node.js / JavaScript
const crypto = require('crypto');
function verifySignature(payload, signature, secret) {
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(payload, 'utf8')
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature)
);
}
// Express.js example
app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
const signature = req.headers['x-ftt-signature'];
const payload = req.body.toString();
if (!verifySignature(payload, signature, process.env.WEBHOOK_SECRET)) {
return res.status(401).send('Invalid signature');
}
const data = JSON.parse(payload);
console.log('New post:', data.data.content);
res.status(200).send('OK');
});Python
import hmac
import hashlib
import os
from flask import Flask, request, abort
app = Flask(__name__)
def verify_signature(payload: bytes, signature: str, secret: str) -> bool:
expected = hmac.new(
secret.encode('utf-8'),
payload,
hashlib.sha256
).hexdigest()
return hmac.compare_digest(signature, expected)
@app.route('/webhook', methods=['POST'])
def webhook():
signature = request.headers.get('X-Ftt-Signature', '')
payload = request.get_data()
if not verify_signature(payload, signature, os.environ['WEBHOOK_SECRET']):
abort(401, 'Invalid signature')
data = request.get_json()
print(f"New post: {data['data']['content']}")
return 'OK', 200Go
package main
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"io"
"net/http"
"os"
)
func verifySignature(payload []byte, signature, secret string) bool {
mac := hmac.New(sha256.New, []byte(secret))
mac.Write(payload)
expected := hex.EncodeToString(mac.Sum(nil))
return hmac.Equal([]byte(signature), []byte(expected))
}
func webhookHandler(w http.ResponseWriter, r *http.Request) {
signature := r.Header.Get("X-Ftt-Signature")
payload, _ := io.ReadAll(r.Body)
if !verifySignature(payload, signature, os.Getenv("WEBHOOK_SECRET")) {
http.Error(w, "Invalid signature", http.StatusUnauthorized)
return
}
// Process the webhook payload
w.WriteHeader(http.StatusOK)
w.Write([]byte("OK"))
}PHP
<?php
function verifySignature($payload, $signature, $secret) {
$expected = hash_hmac('sha256', $payload, $secret);
return hash_equals($expected, $signature);
}
$payload = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_FTT_SIGNATURE'] ?? '';
$secret = getenv('WEBHOOK_SECRET');
if (!verifySignature($payload, $signature, $secret)) {
http_response_code(401);
exit('Invalid signature');
}
$data = json_decode($payload, true);
error_log('New post: ' . $data['data']['content']);
http_response_code(200);
echo 'OK';Testing Your Webhook
Using the Dashboard Test Button
The easiest way to test is using the "Test" button in your Integrations dashboard. This sends a sample payload with test data.
- The test payload looks identical to real webhooks
- It includes a valid signature computed with your secret
- Check your server logs to see the incoming request
Using webhook.site for Debugging
If you're building your integration, webhook.site is a free tool that gives you a temporary URL to receive webhooks:
- Go to webhook.site and copy your unique URL
- Add this URL as an endpoint in your dashboard
- Click "Test" and watch the payload appear on webhook.site
- Use this to understand the payload structure before coding
Checking the Activity Log
The Activity tab in your Integrations page shows a history of all webhook deliveries, including status codes, response times, and any error messages.
Troubleshooting
Webhooks aren't being received at all
Check these common issues:
- Ensure Webhook Notifications is enabled in Dashboard → Notifications
- Verify your endpoint URL is correct and uses HTTPS
- Check that your server is publicly accessible (not localhost)
- Look for firewall rules blocking incoming requests
- Verify the endpoint is active (not disabled due to failures)
Signature verification is failing
Common causes:
- Wrong secret: Make sure you're using the exact secret shown when you created the endpoint
- Modified body: Some frameworks parse JSON automatically. Use the raw body for signature computation
- Encoding issues: Ensure you're using UTF-8 encoding
- String comparison: Use constant-time comparison to prevent timing attacks
Tip: Log both the received signature and your computed signature to compare them.
My endpoint was auto-disabled
We automatically disable endpoints that fail repeatedly (circuit breaker pattern). This prevents wasting resources on broken endpoints.
To re-enable:
- Fix the underlying issue with your endpoint
- Go to Dashboard → Integrations
- Click the "Reset" button on the disabled endpoint
- Test with the "Test" button before relying on it
Webhook requests are timing out
Your endpoint must respond within 30 seconds. If processing takes longer, consider:
- Respond immediately: Return 200 OK right away, then process asynchronously
- Use a queue: Push the payload to a message queue (Redis, RabbitMQ) for background processing
- Check your server: Look for slow database queries or external API calls
I'm receiving duplicate webhooks
Webhooks may be retried if your endpoint returns an error or times out. To handle this:
- Use the
data.idfield to check if you've already processed this post - Store processed post IDs in a database or cache
- Make your processing logic idempotent (safe to run multiple times)
Best Practices
Always Verify Signatures
Never trust incoming webhooks without validating the signature. This prevents attackers from sending fake data.
Respond Quickly
Return a 2xx response as fast as possible. Do heavy processing in the background to avoid timeouts.
Handle Retries
Design your handler to be idempotent. Use post IDs to detect and skip duplicate deliveries.
Log Everything
Log incoming webhooks, signatures, and processing results. This makes debugging much easier.
Need Help?
Having trouble setting up webhooks? Our support team is here to help with implementation questions and troubleshooting.
[email protected]