This topic was automatically generated from Slack. You can find the original thread here.
Heys @U05FUC30Q01
I’m deploying a trigger using the REST API and want to verify incoming events with a web-hook signature.
Is it possible for Pipedream to sign the events it sends using a secret that I can set either in Pipedream or in the web hook itself?
cc:- @U095D9MBG49 @U094Y8Z67C4 @U05A7KLNALC
Thanks for your question! Based on the available documentation: Pipedream does not natively sign outgoing webhook events with a user-defined secret. Instead, signature validation is typically used for incoming webhooks (when Pipedream receives events from other apps), not for outgoing events that Pipedream sends to your endpoints. ### Details - When you use an app-based trigger in Pipedream, Pipedream will try to validate incoming events using the signature guidance from the app provider (see docs). - For outgoing webhooks (when Pipedream sends HTTP requests to your endpoints), Pipedream does not automatically sign the payload with a secret or signature header that you can configure. - If you want to verify the source of incoming requests to your own HTTP endpoint, you should implement your own validation logic. For example, you can: - Require a custom header with a secret value. - Use HTTP Basic Auth. - Validate JWT tokens. - Implement any custom logic you need. ### What you can do If you want Pipedream to include a signature or secret in the outgoing webhook requests, you can: - Add a custom header in your HTTP action step, e.g., X-Signature: your-secret-value. - Sign the payload yourself in a code step before sending, and include the signature in a header or the body. #### Example: Add a custom signature header ```
import { axios } from “@pipedream/platform”; import crypto from “crypto”; export default defineComponent({ props: { webhookUrl: { type: “string”, label: “Webhook URL” }, secret: { type: “string”, label: “Secret” }, payload: { type: “string”, label: “Payload (JSON string)” }, }, async run({ steps, $ }) { const signature = crypto .createHmac(“sha256”, this.secret) .update(this.payload) .digest(“hex”); return await axios($, { method: “POST”, url: this.webhookUrl, headers: { “X-Signature”: signature, “Content-Type”: “application/json”, }, data: this.payload, }); }, });
We don’t yet but it’s on the backlog: [FEATURE] Support signature validation for webhook emits from triggers deployed via Connect API · Issue #16396 · PipedreamHQ/pipedream · GitHub