Act-On Supports the following authentication methods for Incoming Webhooks:
- Basic: Username & Basic
- Bearer Token
- Digital Signature
Basic
Enter a desired pair of username and password. It does not need to be your Act-On account login but they need to match the parameters included in the Outgoing Webhook header. Make sure you store the credentials somewhere safe.
Bearer Token
Generate a token for each webhook from Act-On that will need to be included in the Outgoing Webhook header. Make sure you store the token somewhere safe.
Digital Signature
Act-On’s webhook verification employs digital signatures to enhance security. HMAC (Hash-based Message Authentication Code) is exclusively supported with the following hashing functions: SHA-1, SHA-256, SHA-512, SHA-384, and MD5. Payloads can be encoded using Base64, Hexadecimal (Hex), or plain text, providing flexibility in data representation. These digital signatures ensure data integrity and origin authenticity, guaranteeing secure data consumption from third parties.
- Select Digital Signature (HMAC) from the Authentication type dropdown:
- Select the proper function:
- Choose Encoding:
- Add Signature and key (key format is validated against selected Encoding option).
The digital signature format can be found in the third party that is triggering the webhook. Refer to their documentation for details. Here are a couple of examples:
Calendly
Supports HMAC-SHA-256 with text encoding
# Determine the expected signature by computing an HMAC with the SHA256 hash function.
expected_signature = (hmac << signed_payload).to_s
YouTube
Supports HMAC-SHA-256
https://www.youtube.com/watch?v=I2ZYUulreI4
Cvent
HMACK-SHA-1 base64
https://developers.cvent.com/doc/event-management/http-post-getting-started/#4384