How to Test Slack Webhooks: Complete Guide

Understanding Slack's Webhook Types

Slack offers multiple webhook mechanisms, each serving a different purpose. Understanding which type to use — and how to test each — is essential for building reliable Slack integrations.

Testing Incoming Webhooks (Sending to Slack)

Incoming webhooks are the simplest Slack integration. Slack gives you a URL; you POST JSON to it; a message appears in a channel.

Setup

1. Go to api.slack.com/apps → Create New App → From Scratch.
2. Under Features → Incoming Webhooks → Activate.
3. Click "Add New Webhook to Workspace" and select a channel.
4. Copy the webhook URL (looks like https://hooks.slack.com/services/T.../B.../xxx).

Test with cURL

# Simple text message
curl -X POST https://hooks.slack.com/services/YOUR/HOOK/URL \
  -H "Content-Type: application/json" \
  -d '{"text": "Hello from my webhook test! 🎉"}'

# Rich message with blocks
curl -X POST https://hooks.slack.com/services/YOUR/HOOK/URL \
  -H "Content-Type: application/json" \
  -d '{
    "blocks": [
      {
        "type": "section",
        "text": {
          "type": "mrkdwn",
          "text": "*New Deployment* 🚀\nBranch: main\nStatus: Success"
        }
      }
    ]
  }'

Testing Events API (Receiving from Slack)

The Events API is where Requex.me becomes essential. Slack sends events to YOUR URL, and you need to capture and inspect them.

The URL Verification Challenge

When you first configure an Events API URL, Slack sends a verification challenge. Your endpoint must respond with the challenge value. This is critical to understand before testing.

// Slack sends this POST:
{
  "type": "url_verification",
  "challenge": "3eZbrw1aBm2rZgRNFdxV2595E9CY3gmdALWMmHkvFXO7tYXAYM8P",
  "token": "Jhj5dZrVaK..."
}

// Your server must respond with:
{
  "challenge": "3eZbrw1aBm2rZgRNFdxV2595E9CY3gmdALWMmHkvFXO7tYXAYM8P"
}

// Express.js handler:
app.post('/slack/events', (req, res) => {
  if (req.body.type === 'url_verification') {
    return res.json({ challenge: req.body.challenge });
  }
  
  // Handle actual events
  const { event } = req.body;
  console.log('Event:', event.type, event);
  res.status(200).send('OK');
});

Capture Events with Requex.me

While Requex.me can't respond to the URL verification challenge automatically, it's perfect for inspecting the payloads of actual events after verification. Use it to understand the exact structure of message, reaction_added, member_joined_channel, and other events before building your handler.

Common Slack Webhook Events

Slack Webhook Security

Slack provides a signing secret for verifying requests. Always verify signatures in production to prevent spoofed events.

const crypto = require('crypto');

function verifySlackRequest(req, signingSecret) {
  const timestamp = req.headers['x-slack-request-timestamp'];
  const slackSignature = req.headers['x-slack-signature'];
  
  // Prevent replay attacks (reject if older than 5 minutes)
  const fiveMinAgo = Math.floor(Date.now() / 1000) - 300;
  if (timestamp < fiveMinAgo) return false;
  
  const sigBasestring = 'v0:' + timestamp + ':' + req.rawBody;
  const mySignature = 'v0=' + crypto
    .createHmac('sha256', signingSecret)
    .update(sigBasestring)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(mySignature),
    Buffer.from(slackSignature)
  );
}

For more details on webhook security, see our Webhook Security Best Practices guide.