About Zapier Community
New to our Community? Get to know more about our space and how to make the most of your time here.

Code of Conduct Community FAQ's Zapier Common Questions What to Expect

Get Started With Zapier
New to Zapier? We have got you covered with our Zapier 101 Resources.

Zapier Essentials

Get Support
Have a question? Let's get you an answer!

How Do I...? Troubleshooting Code & Webhooks Developer Zone

Other Help Resources
Wait, there's more! Check out these Community sourced spaces for additional resources.

Zapier Help Center Hire an Expert

Zapier Reading
All of our best learning resources can be found here.

Featured Articles Show & Tell AI Hub Zapier Tools Hub

Learning Groups
Excited to meet other builders? Check out our interest areas full of doers, dreamers, and in-betweeners.

User Groups

Other Learning Resources
Some of our favorite additional ways to upskill your Zapier knowledge.

Zapier Learn Zapier Blog Zapier Webinars

Product Updates
Check out what is new and upcoming with Zapier with our regular product updates.

Product Updates

Early Access Program
Want to join Early Access? Learn more here.

Question

Static webhook authentication approach

  • 22 September 2022
  • 1 reply
  • 240 views
R

I’m looking into adding webhook support into an application, and at first glance it looks like webhooks by Zapier will work great. However, the lack of authentication (as far as I can see) within Zapier seems to make this far too dangerous. Am I missing something, or is the “security” really a matter of security by obscurity, and dependent on keeping the webhook URL safe? I don’t see what there is to prevent anyone posting against this URL if they find it.

One idea I did have was to a “run javascript in code” step with the hook, and use this to check a HMAC header, using a secret key i’ve stored in Storage by Zapier. 

Should I just be using a different approach altogether, the Zapier platform mentions authentication but this seems to be about authentication back to my app, rather than authenticating requests to Zapier. 

thanks!

This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

1 reply

R

I could definitely achieve what I want with something like this, but this doesn’t feel like what i’d expect to be necessary here?

 

 

Would love to be told there’s a better way here. 

Just to confirm what I want:

 

  • Receive webhook
  • Verify webhook (for example using HMAC header)
  • Continue if verified...
Terms & Conditions