Incoming Webhook Verification

  • Updated

Act-On Supports the following authentication methods for Incoming Webhooks:

  • Basic: Username & Basic
  • Bearer Token
  • Digital Signature


Enter a desired pair of username and password. It does not need to be your Act-On account login but they need to match the parameters included in the Outgoing Webhook header. Make sure you store the credentials somewhere safe.

Bearer Token

Generate a token for each webhook from Act-On that will need to be included in the Outgoing Webhook header. Make sure you store the token somewhere safe.

Digital Signature

Act-On’s webhook verification employs digital signatures to enhance security. HMAC (Hash-based Message Authentication Code) is exclusively supported with the following hashing functions: SHA-1, SHA-256, SHA-512, SHA-384, and MD5. Payloads can be encoded using Base64, Hexadecimal (Hex), or plain text, providing flexibility in data representation. These digital signatures ensure data integrity and origin authenticity, guaranteeing secure data consumption from third parties.

  1. Select Digital Signature (HMAC) from the Authentication type dropdown:

  2. Select the proper function:

  3. Choose Encoding:

  4. Add Signature and key (key format is validated against selected Encoding option).

The digital signature format can be found in the third party that is triggering the webhook. Refer to their documentation for details. Here are a couple of examples:


Supports HMAC-SHA-256 with text encoding

# Determine the expected signature by computing an HMAC with the SHA256 hash function.

expected_signature = (hmac << signed_payload).to_s


Supports HMAC-SHA-256 


HMACK-SHA-1 base64

Was this article helpful?

Have more questions? Submit a request