Swell
How to verify if the Webhook call came from Swell? #347
-
|
How can we verify if a Webhook call came from Swell? We were hoping we can use the "Alias" to set a shared secret -- but it does not seem to get sent back with the Webhook call.
Headers: 
|
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 4 replies
-
|
Currently, we don't have any security mechanism to verify the webhook data whether it is triggered from Swell. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the response, do you have plans to implement this in the near future? This approach is counter-intuitive and wouldn't this impact API limits? |
Beta Was this translation helpful? Give feedback.
-
|
We typically recommend putting a shared secret in the webhook URL itself |
Beta Was this translation helpful? Give feedback.
-
|
@jramoyo-serenade You can also verify it using the list of IP addresses from which we will trigger webhooks: Would this work for you? |
Beta Was this translation helpful? Give feedback.
-
|
@logeshswell How often would these change? And where/how can we check for changes? |
Beta Was this translation helpful? Give feedback.
-
|
IPs are very less likely to be changed. |
Beta Was this translation helpful? Give feedback.
-
|
We can update the IP list in the below page if it's changed. |
Beta Was this translation helpful? Give feedback.
Currently, we don't have any security mechanism to verify the webhook data whether it is triggered from Swell.
Instead, we recommend fetching the associated record using
data.idbefore performing a relevant action for the time being.https://developers.swell.is/backend-api/webhooks/receiving-webhooks