Static webhook authentication approach

Question

I’m looking into adding webhook support into an application, and at first glance it looks like webhooks by Zapier will work great. However, the lack of authentication (as far as I can see) within Zapier seems to make this far too dangerous. Am I missing something, or is the “security” really a matter of security by obscurity, and dependent on keeping the webhook URL safe? I don’t see what there is to prevent anyone posting against this URL if they find it.

One idea I did have was to a “run javascript in code” step with the hook, and use this to check a HMAC header, using a secret key i’ve stored in Storage by Zapier.

Should I just be using a different approach altogether, the Zapier platform mentions authentication but this seems to be about authentication back to my app, rather than authenticating requests to Zapier.

thanks!

robjmills · Answer

I could definitely achieve what I want with something like this, but this doesn’t feel like what i’d expect to be necessary here?

Would love to be told there’s a better way here.

Just to confirm what I want:

Receive webhook
Verify webhook (for example using HMAC header)
Continue if verified...

Sign up

Use your Zapier credentials

Log in to the Community

Use your Zapier credentials

Scanning file for viruses.

This file cannot be downloaded