GCP Pub/Sub

Publish events to Google Cloud Pub/Sub topics using service account JWT authentication.

The gcp_pubsub provider publishes events to a Google Cloud Pub/Sub topic. hookstream signs short-lived JWTs with your service account private key and exchanges them for access tokens on the fly — no GCP SDK needed.

When to use this: you're on GCP and want hookstream events to flow into Pub/Sub subscribers (Dataflow, Cloud Functions, Cloud Run, BigQuery via Dataflow).

JWT signing uses crypto.subtle (RSASSA-PKCS1-v1_5 + SHA-256). The resulting access token is used as a Authorization: Bearer header on the Pub/Sub publish call.

Configuration

project_id string required

GCP project ID hosting the topic.

topic_id string required

Pub/Sub topic name (just the short name — not the full resource path).

service_account_json string required

Full service account key JSON as a string. Must contain client_email, private_key, and project_id. Stored encrypted and masked in GET responses.

Authentication

Create a service account in the GCP console.

Grant it the roles/pubsub.publisher role on the target topic:

bash
gcloud pubsub topics add-iam-policy-binding webhook-events \
  --member=serviceAccount:hookstream@my-project.iam.gserviceaccount.com \
  --role=roles/pubsub.publisher

Download the service account key JSON.
Paste the entire file contents into the service_account_json field.

Under the hood, hookstream extracts client_email and private_key, signs a JWT with scope=https://www.googleapis.com/auth/pubsub, exchanges it at https://oauth2.googleapis.com/token, and caches the bearer token for the publish call.

Message Format

The webhook body is base64-encoded and sent as the Pub/Sub message data field. Message attributes include event_id and source_id so subscribers can filter without decoding the payload.

Example

bash
curl -X POST https://hookstream.io/v1/destinations \
  -H "X-API-Key: $HOOKSTREAM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Analytics Topic",
    "type": "gcp_pubsub",
    "config": {
      "project_id": "my-gcp-project",
      "topic_id": "webhook-events",
      "service_account_json": "{\"type\":\"service_account\",\"project_id\":\"my-gcp-project\",\"client_email\":\"hookstream@my-gcp-project.iam.gserviceaccount.com\",\"private_key\":\"-----BEGIN PRIVATE KEY-----\\n...\\n-----END PRIVATE KEY-----\\n\"}"
    }
  }'

Gotchas

Paste the full JSON, including newlines

The private_key field contains literal \n escape sequences. Pass the service account JSON exactly as downloaded — don't try to pretty-print or unescape it.

Topic must already exist

hookstream does not create topics. Create it ahead of time with gcloud pubsub topics create.

Rotate keys on a schedule

Service account keys never expire on their own. Rotate them via Terraform or gcloud on a cadence and update the destination config.

Next Steps

Kafka

Produce to Kafka topics via Confluent REST Proxy.

Learn More

AWS EventBridge

The AWS equivalent for rule-based fan-out.

Learn More

Topics & Pub/Sub

How hookstream's topic overlay fans out to subscribers.

Learn More

Destinations API

Full API reference.

Learn More

Was this page helpful?

Previous AWS EventBridge

Next Kafka