Security Layer

Security is not optional. Always authenticate webhooks in production environments.

Introduction

Security is paramount in webhook processing. Webhooked provides multiple authentication mechanisms to ensure only authorized sources can trigger your webhooks.

Security Context Variables

Variables available in security conditions:

Variable

Description

Example

.SpecName

Name of the current spec as defined in config

"user-events"

.SpecEntrypointURL

EntrypointURL of the current spec as defined in config

"/user-events"

.ConnID

Unique connection ID

123549841

.ConnTime

Connection established time

time.Time object 2025-08-20T21:10:00Z

.Host

Host header of request

"example.com"

.IsTLS

Whether request is HTTPS

true

.Method

HTTP method used

"POST"

.Payload

Raw request body

{"data": "value"}

.QueryArgs

Query parameters object

fasthttp.Args{"id":"123","token":"abc"}

.RemoteAddr

Remote Addr

"192.168.1.10:54321"

.RemoteIP

Remote network address

"192.168.1.1"

.RequestTime

Time when request was received

time.Time object 2025-08-20T21:10:00Z

.Request

Full fasthttp.Request object

&fasthttp.Request{...}

.URI

Request URI

"/webhooks/..."

.UserAgent

Client User-Agent header

"Mozilla/5.0 (X11; Linux x86_64)"

Security Providers

GitHub

The GitHub provider validates webhook signatures using HMAC-SHA256.

security:
  type: github
  specs:
    secret: # Valuable - see doc "Sourcing (Valuable)" for more info
      valueFrom:
        envRef: GITHUB_WEBHOOK_SECRET

How It Works

GitHub signs the payload with your secret using HMAC-SHA256
Sends signature in X-Hub-Signature-256 header
Webhooked validates the signature matches
Rejects with 401 if validation fails

GitHub Webhook Setup

In your GitHub repository settings:

Go to Settings → Webhooks
Add webhook URL: https://your-domain/webhooks/v1alpha2/your-path
Set Content type: application/json
Set Secret: Your webhook secret
Select events to trigger webhook

Validation Example

webhooks:
  - name: github-push
    entrypointUrl: /github/push
    security:
      type: github
      specs:
        secret:
          valueFrom:
            envRef: GITHUB_SECRET
    response:
      statusCode: 200
      formatting:
        templateString: |
          {
            "status": "validated",
            "event": "{{ .Request.Header.Peek "X-GitHub-Event" | toString }}",
            "delivery": "{{ .Request.Header.Peek "X-GitHub-Delivery" | toString }}"
          }

Custom

The custom provider allows you to define authentication logic using Go templates.

Basic Token Authentication

security:
  type: custom
  specs:
    condition: |
      {{ eq (.Request.Header.Peek "X-API-Key" | toString) (env "API_KEY") }}

Multiple Conditions

security:
  type: custom
  specs:
    condition: |
      {{ and 
        (eq (.Request.Header.Peek "X-API-Key" | toString) (env "API_KEY"))
        (eq (.Request.Header.Peek "X-Tenant-ID" | toString) "tenant-123")
        (contains (.Request.Header.Peek "User-Agent" | toString) "MyApp")
      }}

NoOp

The NoOp provider disables authentication entirely. Use only in development!

security:
  type: noop

⚠️ Warning: Never use noop in production environments!

PreviousFormatting NextStorage Layer

Last updated 6 months ago

hashtagIntroduction

hashtagSecurity Context Variables

hashtagSecurity Providers

hashtagGitHub

hashtagHow It Works

hashtagGitHub Webhook Setup

hashtagValidation Example

hashtagCustom

hashtagBasic Token Authentication

hashtagMultiple Conditions

hashtagNoOp