Skip to main content

Webhook Verification


Overview

The Webhook Verification module authenticates that webhook requests sent to your HTTP endpoints are originated by your webhook provider and intended for you. It also prevents replay attacks when supported by the provider.

It is configured with a provider name and a secret key given to you by the provider.

Webhook Verification is important because without it, an attacker could send malicious payloads to your application which could lead to security vulnerabilities or leak confidential data.

Webhook requests that are properly authenticated by the provider will be sent to your upstream application. Other requests will be rejected with an error.

We've written integration guides for every supported provider to make it easy for you to set up because there is little standardization among providers.

We contribute everything we learn while building this module back to the community at Webhooks.fyi.

Quickstart

Agent CLI

ngrok http 80 --verify-webhook stripe --verify-webhook-secret whsec_secret

Agent Configuration File

tunnels:
example:
proto: http
addr: 80
verify_webhook:
provider: "twilio"
secret: "twilio-auth-token"

SSH

ssh -R 443:localhost:80 connect.ngrok-agent.com http \
--verify-webhook slack \
--verify-webhook-secret slack_signing_secret

Go SDK

import (
"context"
"net"

"golang.ngrok.com/ngrok"
"golang.ngrok.com/ngrok/config"
)

func listenWebhookVerification(ctx context.Context) net.Listener {
listener, _ := ngrok.Listen(ctx,
config.HTTPEndpoint(
config.WithWebhookVerification("shopify", "app-client-secret"),
),
ngrok.WithAuthtokenFromEnv(),
)
return listener
}

Rust SDK

use ngrok::prelude::*;

async fn start_tunnel() -> anyhow::Result<impl Tunnel> {
let sess = ngrok::Session::builder()
.authtoken_from_env()
.connect()
.await?;
let tun = sess
.http_endpoint()
.webhook_verification("zendesk", "zendesk-signing-secret")
.listen()
.await?;
println!("Listening on URL: {:?}", tun.url());
Ok(tun)
}

Kubernetes Ingress Controller

---
apiVersion: v1
kind: Secret
metadata:
name: github-webhook-secret
type: Opaque
data:
secret-token: "<base64-encoded-webhook-secret>"
---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: ngrok-module-set
modules:
webhookVerification:
provider: github
secret:
name: github-webhook-secret
key: secret-token
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
k8s.ngrok.com/modules: ngrok-module-set
spec:
ingressClassName: ngrok
rules:
- host: your-domain.ngrok.app
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80

Edges

Webhook Verification is a supported module for HTTPS edges. It is attached to an edge route. Like all edge modules, it can be configured via API.

Try it out

Consult the comprehensive step-by-step integration guides we've written for every supported provider.

Behavior

If a webhook request is verified, it is sent to the upstream server. If it is not, ngrok returns a 403 error response.

If there is provider-specific behavior it will be documented in the provider's integration guide.

Timestamp Tolerance

When a webhook provider provides a mechanism to prevent replay attacks by including a signed timestamp in the webhook, ngrok will reject the webhook request if the difference between the current time and the included timestamp are is outside of tolerance.

If the webhook provider's documentation suggests a tolerance value, we will use that.

Otherwise, ngrok uses a tolerance of 180 seconds.

Endpoint Verification

Some webhook providers require endpoint verification from your application before they will begin sending webhook requests. This helps providers prevent their webhook infrastructure from being used for DOS attacks.

When you configure webhook verification for the following providers, ngrok will automatically handle the endpoint verification request for your application.

  • Twitter
  • Wordline
  • Xero
  • Zoom

Reference

Supported Providers

ProviderProvider IdentifierIntegration Guide
AfterShipaftershipDocumentation
AirshipairshipDocumentation
Amazon SNSsnsDocumentation
Autodesk Platform ServicesautodeskDocumentation
BitbucketbitbucketDocumentation
BoltboltDocumentation
BoxboxDocumentation
BrexbrexDocumentation
BuildkitebuildkiteDocumentation
CalendlycalendlyDocumentation
CastlecastleDocumentation
ChargifychargifyDocumentation
CircleCIcircleciDocumentation
ClearbitclearbitDocumentation
ClerkclerkDocumentation
CoinbasecoinbaseDocumentation
ContentfulcontentfulDocumentation
DocuSigndocusignDocumentation
DropboxdropboxDocumentation
Facebook Graph APIfacebook_graph_apiDocumentation
Facebook Messengerfacebook_messengerDocumentation
Frame.ioframeioDocumentation
GitHubgithubDocumentation
GitLabgitlabDocumentation
Go1go1Documentation
HerokuherokuDocumentation
Hosted HookshostedhooksDocumentation
HubsSpothubspotDocumentation
Hygraph (Formerly GraphCMS)graphcmsDocumentation
InstagraminstagramDocumentation
IntercomintercomDocumentation
Launch Darklylaunch_darklyDocumentation
MailchimpmailchimpDocumentation
MailgunmailgunDocumentation
Microsoft Teamsmicrosoft_teamsDocumentation
Modern Treasurymodern_treasuryDocumentation
MongoDBmongodbDocumentation
MuxmuxDocumentation
OrbitorbitDocumentation
PagerDutypagerdutyDocumentation
PinwheelpinwheelDocumentation
PlivoplivoDocumentation
PusherpusherDocumentation
SendGridsendgridDocumentation
SentrysentryDocumentation
ShopifyshopifyDocumentation
Signal Sciencessignal_sciencesDocumentation
SlackslackDocumentation
Sonatype NexussonatypeDocumentation
SquaresquareDocumentation
StripestripeDocumentation
SvixsvixDocumentation
TerraformterraformDocumentation
TikToktiktokDocumentation
Trend Micro Conformitytrendmicro_conformityDocumentation
TwiliotwilioDocumentation
TwittertwitterDocumentation
TypeformtypeformDocumentation
VMware WorkspacevmwareDocumentation
WebexwebexDocumentation
WhatsAppwhatsappDocumentation
WorldlineworldlineDocumentation
XeroxeroDocumentation
ZendeskzendeskDocumentation
ZoomzoomDocumentation

Upstream Headers

No additional upstream headers are added by the Webhook Verification module.

Events

When the Webhook Verification module is enabled, it populates the following fields in the http_request_complete.v0 event:

Fields
webhook_verification.decision

Errors

If a webhook request fails verification for any reason, the ngrok edge will return ERR_NGROK_3204 with a 403 Forbidden status.

Licensing

Webhook Verification is available on the Free and Personal plans for up to 500 verifications per month. For additional verifications, you must be subscribed to a Pro or Enterprise plan.