Webhook incoming authentication & security

  • 6 April 2021
  • 1 reply

Hey All, new to Zapier here. Awesome product this. Has all the “Actions” I need and was easily able to test a bunch of them now. Currently my situation is this:

  • I have an app running on our server and when something specific happens we are going to send a post to a Zapier Webhook or to a Customer Zapier Platform Integration we’ve created for our private use and that will for instance send a MS Teams msg, send an email or a text msg.
  • My issue is this: I know on the generic “Webhooks By Zapier” you can’t add Basic Auth for incoming requests to the Zapier generated Webhook URL but what I want to do is for instance: Add Basic Auth or API Key for my Zapier Webhook generated URL so from my app I will send for instance Base64 Encoded user & password via the Authorization header to the Zapier generated url of say: etc.  

Now I’m struggling how to set this up via my custom app on . It seems the authentication “Basic Auth” section on there is geared to when I want to call an endpoint that is using Basic Auth. Ideally I want to set a user & password and return a 401 for any incoming requests to the generated Webhook URL that do not have the correct credentials. I’ve seen multiple posts saying this is possible but nothing on how to do it and I’m obviously missing something here :( If anyone can help me out with this it would be greatly appreciated. Even if it’s something along the lines of setting an environmental variable and check the incoming header for this and return a 401? 

  • Secondly is there any way to white list incoming IP’s to this WebHook?

Thanx all!




This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

1 reply

Userlevel 4
Badge +4

@jjay225 all of this is possible. However, you’ll have to do this in the perform code for your trigger. Not the authentication section.

In the perform code you can hard code the values for the credentials and IP addresses that you want to allow.

Alternatively you could make an HTTP request to your external system to do this verification and avoid hardcoding any values into the Zapier code. This is the best option for maintainability and security.