Triggers differ in authority and delivery semantics. WhatsApp events may retry, forms accept untrusted public input, and Sheets polling can reread or miss rows if state is weak. Normalize every source into one internal event contract.
Design Source Adapters
source event
→ authenticate source
→ validate and minimize
→ assign stable source_event_id
→ map event_type/schema_version
→ consent/policy gate
→ enqueue business workflow
Keep source-specific details in the adapter. The downstream workflow should not need to understand every WhatsApp payload or sheet column name.
Record delivery semantics per source: push or poll, at-most/at-least/unknown delivery, ordering guarantee, retry window, and deletion behavior. The adapter must tolerate events arriving late or out of order. If ordering matters, compare authoritative sequence/time fields and route conflicts for reconciliation rather than assuming n8n execution order equals source order.
Source Rules
WhatsApp: use official Business Platform/provider integration, verify callbacks, preserve message ID, enforce consent and service-window/template rules, and provide human escalation.
Forms: apply CSRF/origin controls where relevant, CAPTCHA/abuse controls proportionate to risk, schema/size limits, explicit privacy notice, and no secret fields.
Sheets: use a dedicated authorized sheet, stable row ID and processed state, least scopes, controlled sharing, and concurrency protection. A spreadsheet is not a payment or identity authority.
Worked Example
Three sources submit quotation requests. Adapters emit:
{
"source_event_id": "form:8f2",
"source": "website_form",
"event_type": "quote.requested",
"payload": { "service_code": "CATALOG", "city": "Karachi" },
"consent": { "service_reply": true, "marketing": false }
}
The shared workflow creates a DRAFT request once. It does not send marketing because service-reply permission is not marketing consent.
Failure Cases to Diagnose
- Phone number means WhatsApp opt-in: capture evidence and scope.
- Form accepts arbitrary HTML/files: validate and scan/avoid unnecessary uploads.
- Sheet row position is ID: use immutable key.
- Polling rereads rows: checkpoint and idempotency.
- One adapter forwards full payload: minimize fields.
- Trigger directly performs payment/message: route through gates.
🇵🇰 Pakistan Angle
Keep Roman Urdu/English choice explicit. Do not infer language from name or city. For low-bandwidth users, forms and messages should be short and resumable.
Never ask for OTP, PIN, banking password, or unnecessary CNIC data in a form or Sheet. Use client-controlled accounts, not a freelancer’s personal Google Sheet or WhatsApp number.
Hands-On Exercise
- Define the normalized event schema.
- build two synthetic source adapters.
- add stable IDs and consent mapping.
- test duplicate, changed columns, malicious input, and no consent.
- verify one downstream draft.
Completion Rubric
- Sources map to one versioned event.
- Each source authenticates/validates appropriately.
- Stable IDs protect repeated delivery/polling.
- Consent scopes remain distinct.
- Payloads are minimized.
- Business effects occur behind separate gates.
Sources
- n8n Docs — Trigger nodes
- n8n Docs — WhatsApp Business Cloud node
- WhatsApp Business — Messaging policy
Key takeaway: normalize source events, preserve delivery identity and consent, and keep trigger adapters separate from consequential business effects.