Authentication of Webhooks
Authentication​
In our example so far, we have not added authentication of the webhook to the workflow to ensure it comes from the intended source. Authentication is optional and is up to the developer building the workflow to implement. You will have access to all http headers and url parameters, to handle authentication in your webhook handler block. As a basic authentication mechanism, Canvas generates a secret for each webhook.
The secret value is available in the webhook payload under the “secret” property. If possible, you can set your source application to include the secret in a http header or url parameter, and then verify in your handler block that the secret in the request matches the secret for the workflow.
IP Address Restriction​
If you wish, you can enable IP restriction as an additional security layer. When done, only webhook events from the approved IPs will be processed. IP addresses are added as in the below screenshot.
