Incoming Webhook Verification

  • Updated

Act-On Supports the following authentication methods for Incoming Webhooks:

  • Basic: Username & Basic
  • Bearer Token
  • Digital Signature

Basic

Enter a desired pair of username and password. It does not need to be your Act-On account login but they need to match the parameters included in the Outgoing Webhook header. Make sure you store the credentials somewhere safe.

Bearer Token

Generate a token for each webhook from Act-On that will need to be included in the Outgoing Webhook header. Make sure you store the token somewhere safe.

Digital Signature

Act-On’s webhook verification employs digital signatures to enhance security. HMAC (Hash-based Message Authentication Code) is exclusively supported with the following hashing functions: SHA-1, SHA-256, SHA-512, SHA-384, and MD5. Payloads can be encoded using Base64, Hexadecimal (Hex), or plain text, providing flexibility in data representation. These digital signatures ensure data integrity and origin authenticity, guaranteeing secure data consumption from third parties.

  1. Select Digital Signature (HMAC) from the Authentication type dropdown:



  2. Select the proper function:



  3. Choose Encoding:



  4. Add Signature and key (key format is validated against selected Encoding option).

The digital signature format can be found in the third party that is triggering the webhook. Refer to their documentation for details. Here are a couple of examples:

Calendly

Supports HMAC-SHA-256 with text encoding

# Determine the expected signature by computing an HMAC with the SHA256 hash function.

expected_signature = (hmac << signed_payload).to_s

YouTube

Supports HMAC-SHA-256
https://www.youtube.com/watch?v=I2ZYUulreI4 

Cvent

HMACK-SHA-1 base64

https://developers.cvent.com/doc/event-management/http-post-getting-started/#4384

Was this article helpful?

Have more questions? Submit a request