My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. Troubleshooting

Whitelisting FlowMattic Webhook Endpoints on Cloudflare

Updated:

When using FlowMattic with Cloudflare or similar security services, you may encounter issues where webhooks fail or return 403 Forbidden errors, Or your Connect fails the authentication. This happens because Cloudflare’s security features (Bot Management, WAF, Browser Integrity Check) can mistakenly block legitimate webhook requests from external applications.

This guide will walk you through the process of whitelisting FlowMattic webhook endpoints in Cloudflare to ensure your automations work seamlessly.

Why Whitelisting is Necessary

FlowMattic uses webhook endpoints to receive data from external applications such as:

  • Zapier, Make (Integromat), Pabbly Connect
  • Payment gateways (Stripe, PayPal, Razorpay)
  • CRM systems (HubSpot, Salesforce)
  • Email marketing platforms (Mailchimp, ConvertKit)
  • Custom integrations and third-party services

When Cloudflare’s security rules are active, these webhook requests may be blocked, causing:

  • Webhooks to fail with 403 Forbidden errors
  • Workflow triggers not firing
  • Data not being received from external applications
  • Integration failures with third-party services
  • Authentication failing for apps that use OAuth callbacks via webhooks

FlowMattic Webhook Endpoints to Whitelist

FlowMattic provides two webhook URL formats that need to be whitelisted:

Endpoint Pattern Description
/wp-json/webhook/capture/* REST API webhook endpoint
/webhook/capture/* Shortened webhook URL (custom rewrite)

Example Webhook URLs

https://example.com/wp-json/webhook/capture/abc123
https://example.com/webhook/capture/abc123

Note: The abc123 portion is your unique workflow ID. The whitelist rules use wildcards to cover all workflow IDs.

Step-by-Step Cloudflare Configuration

Step 1: Access Cloudflare Dashboard

  1. Log in to your Cloudflare Dashboard
  2. Select your domain from the list
  3. You’ll be configuring rules in the Security and Caching sections

Cloudflare Dashboard

Step 2: Create Security Custom Rules

Navigate to SecuritySecurity rules and create a new custom rule.

Rule Configuration:

Rule name: Allow FlowMattic Webhooks

Expression (Edit expression):

(http.request.uri.path contains "/wp-json/webhook/capture/") or
(http.request.uri.path contains "/webhook/capture/")

Action: Select Skip and check the following options:

  • ✅ All remaining custom rules
  • ✅ Rate limiting rules
  • ✅ User Agent Blocking
  • ✅ Browser Integrity Check
  • ✅ All managed rules (if using WAF managed rules)

Security Security rules.png

Click Deploy to save the rule.

Important: Make sure this rule is placed at the top of your rules list so it executes first.

Step 3: Configure Bot Fight Mode Exception

If you have Bot Fight Mode or Super Bot Fight Mode enabled, you need to create an exception for webhook requests.

Navigate to SecurityBots and configure:

  1. If using Super Bot Fight Mode, click Configure
  2. Add the FlowMattic webhook paths to the skip list

Alternatively, create a Configuration Rule:

  1. Go to RulesConfiguration Rules
  2. Click Create rule
  3. Set the expression:
(http.request.uri.path contains "/wp-json/webhook/capture/") or
(http.request.uri.path contains "/webhook/capture/")
  1. Under Bot Management, select Skip

Security Security rules jsonlint.me InfiWebs Pvt. Ltd. Cloudflare 2026-01-24 at 8.39.59 PM.png

Step 4: Create Cache Bypass Rules

Webhook endpoints should never be cached. Navigate to CachingCache Rules and create a new rule.

Rule name: Bypass Cache for FlowMattic Webhooks

Expression:

(http.request.uri.path contains "/wp-json/webhook/capture/") or
(http.request.uri.path contains "/webhook/capture/")

Cache eligibility: Select Bypass cache

Caching Cache Rules.png

Click Deploy to save.

Step 5: Disable Under Attack Mode for Webhooks (Optional)

If you frequently use Under Attack Mode, create a rule to exclude webhook endpoints:

  1. Go to RulesConfiguration Rules
  2. Create a new rule with the same expression as above
  3. Set Security Level to Essentially Off for these paths

Alternative Method: Page Rules (Legacy)

If you prefer using Page Rules (legacy method), create rules for each pattern:

URL Pattern Settings
*example.com/wp-json/webhook/capture/* Cache Level: Bypass, Security Level: Essentially Off, Browser Integrity Check: Off
*example.com/webhook/capture/* Cache Level: Bypass, Security Level: Essentially Off, Browser Integrity Check: Off

Note: Replace example.com with your actual domain name.

Page Rules.png

Verifying Your Configuration

After setting up the rules, test your FlowMattic webhooks:

Test Webhook Endpoint

  1. Go to FlowMatticWorkflows
  2. Open a workflow with a Webhook trigger
  3. Copy the webhook URL
  4. Use a tool like Postman or Webhook.site to send a test POST request
  5. Verify the workflow executes successfully

Check Cloudflare Logs

  1. Go to SecurityEvents
  2. Filter by URI path containing /webhook/capture/
  3. Verify requests are being allowed (not challenged or blocked)

Troubleshooting

Still Getting 403 Errors?

  1. Check rule order - Ensure the Allow rule is at the top of the rules list
  2. Verify expression syntax - Double-check the expressions match exactly
  3. Disable Bot Fight Mode temporarily - Turn it off briefly to confirm it’s the cause
  4. Check origin server - Ensure your hosting server isn’t also blocking requests

Webhooks Timing Out?

  1. Check caching - Ensure cache bypass is working
  2. Review firewall logs - Look for blocked requests in Cloudflare events
  3. Test without Cloudflare - Pause Cloudflare temporarily to isolate the issue

Webhooks Working Intermittently?

  1. Rate limiting - Ensure rate limiting rules are skipped for webhook endpoints
  2. Challenge actions - Check if Cloudflare is presenting challenges to webhook requests
  3. Geographic restrictions - Verify your security rules aren’t blocking requests from certain regions

Other Security Plugins

If you’re using additional security plugins alongside Cloudflare, you may need to whitelist webhook endpoints in those as well:

Wordfence

  1. Go to WordfenceFirewallAll Firewall Options
  2. Scroll to Whitelisted URLs
  3. Add:
    • /wp-json/webhook/capture/
    • /webhook/capture/

Sucuri

  1. Access your Sucuri dashboard
  2. Navigate to FirewallWhitelist
  3. Add the webhook endpoint paths

Jetpack

  1. Go to JetpackSettingsSecurity
  2. Configure brute force protection exceptions for webhook URLs

Summary

To ensure FlowMattic webhooks work correctly with Cloudflare:

  1. ✅ Create WAF custom rules to skip security checks for webhook endpoints
  2. ✅ Configure Bot Fight Mode exceptions
  3. ✅ Set up cache bypass rules
  4. ✅ Test webhooks after configuration
  5. ✅ Monitor Cloudflare events for any blocked requests

Endpoints to whitelist:

  • /wp-json/webhook/capture/*
  • /webhook/capture/*

By following these steps, your FlowMattic webhook automations will work seamlessly while maintaining security for the rest of your website.

Last updated: January 2026
Attachments
Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
Access denied
Access denied