Authenticating Webhooks

Q: How can we authenticate the webhook calls from your side? How can we verify that it is indeed AuthRocket who sent us the webhooks and not some fraudulent actor?


A: On webhook security, you have a couple options to ensure they are from AuthRocket:

a) Configure the webhook with an HTTP user+password, ie: https://authrocket:some-token@yourapp.com/webhooks/authrocket, and ensure the password/token matches before continuing.

b) Every inbound webhook is correlated with an Event, so you can always make an API call back to AuthRocket to load the event ID. For an inbound webhook with id=ev_ABCD, perform an API call back to:

GET /v1/events/ev_ABCD

You can use the API payload instead of the original webhook payload if you want, ensuring its authenticity.

See: Get an Event

Tagged with: webhooks security

Questions? Find a Typo? Get in touch.