Skip to content

Webhook Verification & Security

To ensure that only legitimate requests from your service providers reach your consumers, Hooque provides several layers of authentication and verification.

Authentication Modes

When creating a webhook, you can choose from three authentication categories:

  1. Public (No Auth): Any request sent to the webhook URL will be accepted and queued. Use this only for internal testing or with providers that do not support authentication.
  2. Preset Providers: Optimized verification strategies for popular SaaS platforms (e.g., Stripe, GitHub). Hooque automatically handles signature verification, timestamp validation, and replay protection.
  3. Manual Configuration: Custom verification logic using standard methods like HMAC, Basic Auth, or API Keys.

Supported Preset Providers

Hooque supports built-in signature verification for the following platforms. When using these, simply provide the Webhook Secret (sometimes called a "Signing Secret" or "Verification Token") from the provider's dashboard.

Category Supported Providers
Version Control GitHub, GitLab, Bitbucket
Payments & Billing Stripe, Shopify, Lemon Squeezy
Communication Slack, Discord, Intercom
Operations PagerDuty, Jira (Atlassian), Monday.com, Asana
Infrastructure & Apps Svix, Clerk, WorkOS, HubSpot, Typeform

How it works

  1. Select a provider in the Hooque dashboard.
  2. Copy the Secret from your provider (e.g., Stripe Developer Dashboard -> Webhooks -> Signing Secret).
  3. Paste the Secret into the "Webhook Token" field in Hooque.
  4. Hooque will now automatically reject any incoming requests that do not match the provider's signing algorithm.

Manual Authentication

If your provider is not listed above, or if you are sending custom webhooks, you can manually configure verification.

1. HMAC (Signed Payloads)

The most common method for securing webhooks. You provide a secret and specify: - Algorithm: sha1, sha256, etc. - Header: The header containing the signature (e.g., X-Signature). - Encoding: hex or base64.

2. API Key

Hooque checks for a static key in a specific header. - Header: e.g., X-API-Key. - Value: The secret key you configured.

3. Basic Auth

Standard HTTP Basic Authentication. - Username: (Optional) - Password: Your configured secret.

4. Query Parameter

Hooque checks for a specific token in the URL query string. - Parameter Name: e.g., token. - Value: The secret token.

Security Best Practices

Rotate Secrets Regularly

If you suspect a secret has been leaked, rotate it immediately in both the provider's dashboard and Hooque.

Use HTTPS

Always use the https:// version of your Hooque webhook URL to ensure data is encrypted in transit.

Verify in your Consumer (Optional)

While Hooque verifies the source of the webhook, your consumer should still check the content of the message to ensure it matches your expected schema.