Q: How can we authenticate the webhook calls from your side? How can we verify that it is indeed AuthRocket who sent us the webhooks and not some fraudulent actor?
A: On webhook security, you have a couple options to ensure they are from AuthRocket:
a) Configure the webhook with an HTTP user+password, ie:
https://authrocket:firstname.lastname@example.org/webhooks/authrocket, and ensure the password/token matches before continuing.
b) Every inbound webhook is correlated with an Event, so you can always make an API call back to AuthRocket to load the event ID. For an inbound webhook with
id=ev_ABCD, perform an API call back to:
You can use the API payload instead of the original webhook payload if you want, ensuring its authenticity.
See: Get an Event
Questions? Find a Typo? Get in touch.