The endpoint that receives webhook events will not require any authentication.
We push a POST request with the payload and expect an HTTP 200 success as a response.
Our webhooks do not have any handshake protocol or authentication, this is mainly because of the complexity it introduces at the receiver endpoints.
In the future, we will extend the Unify webhooks with configurable authentication.
To validate the source of the webhooks events and prevent malicious sources, there are several options:
The delivery URL that will receive the webhook events, can be anything that you configure on your systems, which means you can use an unguessable endpoint. Example:
https://yoursaas.com/api/apideck12345678abc/Webhook events are pushed using the POST method and have specific headers: x-apideck-event-type, x-apideck-idempotency-key and a defined payload structure. To ensure the integrity of the source, you can validate the header names and perform a schema check on the payload.
Example of the headers & payload from our developers’ docs: https://developers.apideck.com/apis/hris/reference#operation/employeeUpdatedThe payload values will reference a
consumer_idwhich represents the client for which the event was triggered; by validating if theconsumer_idvalue matches with an actual ID within your system.
