Webhook security and authentication
Webhooks use authentication to securely integrate with their destination systems and signing secrets to verify the integrity of their requests. This article describes the supported types of authentication and how to configure authentication.
For reference information, see Webhooks in the API documentation.
Webhooks support two types of authentication: basic and bearer token. Both types of authentication should only be used over HTTPS (TLS).
Although not recommended, it's also possible to create a webhook without authentication. To do this, omit the
authentication property from the request.
Basic authentication uses a username and password. To create a webhook with basic authentication, use the
authentication property to specify the username and password in your request to create the webhook.
Bearer authentication is an HTTP authentication scheme commonly referred to as token authentication. Bearer tokens are opaque strings, and they're the predominant type of access token used with OAuth 2.0.
To create a webhook with bearer token authentication, use the
authentication property to specify the token in your request to create the webhook.
You have the option to sign requests from webhooks so the destination system can verify their integrity. To do this, create a signing secret for the webhook and then incorporate the secret into the destination system's code to validate the requests' signature. For more information, see Verifying webhook authenticity.