This topic was automatically generated from Slack. You can find the original thread here.
Hey team, for Deploy trigger - Pipedream, specifically around the webhook is there way to add some sort of way to authenticate. The problem I am running into is trying to figure out how to confirm an event is from pipedream instead of someone spamming the webhook.
To secure your Pipedream Connect Deploy Trigger webhook and confirm that events are genuinely from Pipedream (not from someone spamming your endpoint), you should implement authentication or verification on your webhook endpoint. While Pipedream Connect Deploy Trigger webhooks do not natively support secret signing (like some other webhook systems), you can implement your own authentication in a few ways: ### 1. Use a Secret Token in the Webhook URL How it works: - When you create the webhook URL for your Deploy Trigger, append a secret token as a query parameter (e.g., ?secret=YOUR_SECRET_TOKEN). - In your webhook handler, check for this token and reject requests that don’t include it or have the wrong value. Example: https://your-server.com/webhook-endpoint?secret=MY_SUPER_SECRET In your handler: export default defineComponent({ async run({ steps, $ }) { const { query } = steps.trigger.event; if (query.secret !== process.env.WEBHOOK_SECRET) { throw new Error("Unauthorized"); } // Continue processing } }); (You can set WEBHOOK_SECRET as an environment variable in Pipedream for security.) — ### 2. Check for a Custom Header If you control both ends, you can require a custom HTTP header (e.g., x-webhook-secret) with a secret value. However, Pipedream Connect Deploy Trigger currently does not let you customize headers sent to your webhook, so this method is only possible if you can control the sender. — ### 3. Validate the Request Origin If Pipedream’s requests come from a known set of IP addresses, you could restrict your endpoint to only accept requests from those IPs. However, Pipedream does not guarantee static IPs for outgoing requests, so this is not a reliable method. — ### 4. Signature Verification (Not Supported Natively) Some webhook providers sign their payloads with a secret and let you verify the signature. As of now, Pipedream Connect Deploy Trigger does not natively support webhook signing. If this feature is important, consider submitting a feature request to Pipedream. — ## Summary - Best Practice: Use a secret token in the webhook URL and verify it in your handler. - Do not rely on IP allowlisting or custom headers (unless Pipedream adds support). - No native signature verification is available for Connect Deploy Trigger webhooks. If you need more advanced security, please let Pipedream know by submitting a feature request or visiting Support - Pipedream. — References: - Pipedream Connect API Reference - Pipedream Support
Not currently, but that is on the roadmap
sounds good, I think I will just take Pi’s advice for now