Someone is triggering a GET-request flowcard


I have a flow card that is triggered from a Logic GET-request.

Whenever a request is made to the URL, a push notification is sent to my mobile. It all works fine.

However, a few days ago, I got a bunch of notifications from the Flow over a few hours in the middle of the night. Then it stopped in the morning. The same thing happend the next night, and the night after that. These events are not triggered by the device the flow is intended to be triggered from, so I believe someone else is triggering my flow.

Using Logic flow card with GET-request as a trigger of a flow, is it possible for anybody to trigger my flow, as long as they know my Homey-ID and endpoint?

Is there any way that I can find out from what IP the flow is triggered? Logs?

Thanks for any help on this! I am confused.

Yes. And since the endpoint contains your Homey ID, they only have to know the URL.

It could be an innocent situation where the URL has somehow leaked and now it’s being indexed by a search engine, for instance.

That’s why it’s common that webhooks only work with POST requests, which search engines typically don’t index.


1 Like

And I think when you use this trigger card

changing all of your current event and tag descriptions, is the only and easiest way to stop these flows from being triggered.
You can’t trigger flows without at least a matching event description.

Other option, request a new homeyID;
But little chance (=assumption) Athom can change or wants to change your homeyID

1 Like

Thanks for your help on this!

However, in my case, it turned out I was wrong in my first guess of the problem. The URL was not triggered from the Internet. The flow is triggered from my homemade WIFI mousetrap. The glue holding the switch was getting soft in the heat causing the switch to activate.

It is at least good to know that these events can be triggered by anyone that has access to the URL.

1 Like

You’re welcome! That’s something different hehe, glad you found the cause.