Authentication & Security
Protect your webhook endpoints with API keys, OAuth 2.0, and fine-grained CORS policies.
Overview
Why security matters for webhooks
Every webhook payload you receive is a potential entry point into your infrastructure. WebhookLab enforces authentication at the platform level and gives you the tools to verify incoming requests on your own servers — so you never process a forged or replayed event.
Our security model is built around three pillars: API-key-based access control for quick integration, OAuth 2.0 for delegated authorization when third-party services call your hooks, and configurable CORS headers that restrict which origins can interact with your webhook URLs in browser-based workflows.
API Keys
Authenticate with API keys
Each WebhookLab workspace generates a unique API key that you attach to every outgoing request or use to authenticate incoming webhooks via the X-WebhookLab-Signature header.
Keys are scoped per workspace and can be rotated without downtime. When you create a new key, the previous one stays active for 24 hours, giving you a safe window to update your integrations. You can also set IP allowlists — for example, restricting your key to traffic originating only from 185.12.34.56 (your production server) and 10.0.1.0/24 (your internal network).
Generate & rotate keys
Create unlimited keys from the workspace settings page. Each key has a descriptive label — e.g., stripe-prod-webhook or github-ci-test — so you always know which integration holds which credential.
Signature verification
WebhookLab signs every payload with HMAC-SHA256. Include your secret in the X-WebhookLab-Signature header verification step to confirm the request originated from us and was not tampered with in transit.
IP allowlists
Restrict key usage to specific IP ranges. Combine allowlists with signature verification for defense-in-depth — even if a key is leaked, unlisted IPs cannot replay it.
OAuth 2.0
Delegated access with OAuth 2.0
When a third-party application needs to send webhooks to your WebhookLab endpoint on behalf of a user, OAuth 2.0 provides a secure, revocable delegation flow without exposing long-lived API keys.
WebhookLab acts as an OAuth 2.0 resource server. Register your client application at app.webhooklab.io/oauth/register to receive a client ID and client secret. Supported grant types include Authorization Code (for server-side flows) and Client Credentials (for machine-to-machine communication). Tokens expire after 3600 seconds and can be refreshed using the included refresh token, which remains valid for 30 days.
Authorization Code flow
Redirect users to app.webhooklab.io/oauth/authorize with your client ID and a redirect_uri. After the user grants consent, WebhookLab returns an authorization code you exchange for an access token at /oauth/token.
Client Credentials flow
For backend services that communicate without user interaction, POST your client ID and secret to /oauth/token with grant_type=client_credentials. The returned access token can be attached to webhook requests via the standard Authorization: Bearer <token> header.
Scope management
Define granular scopes such as webhook:read, webhook:write, and workspace:manage. Each token is issued with only the scopes your application requests — and your workspace administrator can audit every granted scope from the security dashboard.
CORS
Configure CORS for safe cross-origin requests
If your webhook consumers run in a browser — for example, a dashboard that polls your WebhookLab URL via fetch() — you must configure Cross-Origin Resource Sharing headers to avoid blocked requests.
In the CORS settings panel, add each allowed origin explicitly (e.g., https://dashboard.example.com, https://admin.example.internal). Wildcards are supported for subdomains: *.example.com covers app.example.com and staging.example.com but not example.com itself. You can also toggle allowed HTTP methods (GET, POST, OPTIONS) and expose custom headers like X-WebhookLab-Event-ID to your frontend code.
Allowed origins
Specify exact domains or subdomain wildcards. Requests from any origin not on the list receive no Access-Control-Allow-Origin header and are rejected by the browser.
Preflight handling
WebhookLab automatically responds to OPTIONS preflight requests with the correct Access-Control-Allow-Methods and Access-Control-Allow-Headers values, so your POST requests with custom headers go through without extra configuration.
Audit log
Every CORS-related request — including blocked preflights — is recorded in the workspace audit log with the requesting origin, timestamp, and outcome, so you can spot misconfigurations or suspicious activity quickly.
Get started
Secure your workspace today
Generate your first API key, register an OAuth client, or add a CORS origin — all from the security settings page. Changes take effect instantly, and every action is logged for compliance.
If you need help configuring signature verification in your language of choice, check the code examples in the docs: Python, Node.js, Go, and Ruby snippets are available with copy-paste-ready implementations.
Read the security docs Open security settingsAuthentication & Security
Protect your webhook endpoints with API keys, OAuth 2.0, and fine-grained CORS policies.
Overview
Why security matters for webhooks
Every webhook payload you receive is a potential entry point into your infrastructure. WebhookLab enforces authentication at the platform level and gives you the tools to verify incoming requests on your own servers — so you never process a forged or replayed event.
Our security model is built around three pillars: API-key-based access control for quick integration, OAuth 2.0 for delegated authorization when third-party services call your hooks, and configurable CORS headers that restrict which origins can interact with your webhook URLs in browser-based workflows.
API Keys
Authenticate with API keys
Each WebhookLab workspace generates a unique API key that you attach to every outgoing request or use to authenticate incoming webhooks via the X-WebhookLab-Signature header.
Keys are scoped per workspace and can be rotated without downtime. When you create a new key, the previous one stays active for 24 hours, giving you a safe window to update your integrations. You can also set IP allowlists — for example, restricting your key to traffic originating only from 185.12.34.56 (your production server) and 10.0.1.0/24 (your internal network).
Generate & rotate keys
Create unlimited keys from the workspace settings page. Each key has a descriptive label — e.g., stripe-prod-webhook or github-ci-test — so you always know which integration holds which credential.
Signature verification
WebhookLab signs every payload with HMAC-SHA256. Include your signing secret in the verification step to confirm the request originated from us and was not tampered with in transit.
IP allowlists
Restrict key usage to specific IP ranges. Combine allowlists with signature verification for defense-in-depth — even if a key is leaked, unlisted IPs cannot replay it.
OAuth 2.0
Delegated access with OAuth 2.0
When a third-party application needs to send webhooks to your WebhookLab endpoint on behalf of a user, OAuth 2.0 provides a secure, revocable delegation flow without exposing long-lived API keys.
WebhookLab acts as an OAuth 2.0 resource server. Register your client application at app.webhooklab.io/oauth/register to receive a client ID and client secret. Supported grant types include Authorization Code (for server-side flows) and Client Credentials (for machine-to-machine communication). Tokens expire after 3600 seconds and can be refreshed using the included refresh token, which remains valid for 30 days.
Authorization Code flow
Redirect users to app.webhooklab.io/oauth/authorize with your client ID and a redirect_uri. After the user grants consent, WebhookLab returns an authorization code you exchange for an access token at /oauth/token.
Client Credentials flow
For backend services that communicate without user interaction, POST your client ID and secret to /oauth/token with grant_type=client_credentials. The returned access token can be attached to webhook requests via the standard Authorization: Bearer <token> header.
Scope management
Define granular scopes such as webhook:read, webhook:write, and workspace:manage. Each token is issued with only the scopes your application requests — and your workspace administrator can audit every granted scope from the security dashboard.
CORS
Configure CORS for safe cross-origin requests
If your webhook consumers run in a browser — for example, a dashboard that polls your WebhookLab URL via fetch() — you must configure Cross-Origin Resource Sharing headers to avoid blocked requests.
In the CORS settings panel, add each allowed origin explicitly (e.g., https://dashboard.example.com, https://admin.example.internal). Wildcards are supported for subdomains: *.example.com covers app.example.com and staging.example.com but not example.com itself. You can also toggle allowed HTTP methods (GET, POST, OPTIONS) and expose custom headers like X-WebhookLab-Event-ID to your frontend code.
Allowed origins
Specify exact domains or subdomain wildcards. Requests from any origin not on the list receive no Access-Control-Allow-Origin header and are rejected by the browser.
Preflight handling
WebhookLab automatically responds to OPTIONS preflight requests with the correct Access-Control-Allow-Methods and Access-Control-Allow-Headers values, so your POST requests with custom headers go through without extra configuration.
Audit log
Every CORS-related request — including blocked preflights — is recorded in the workspace audit log with the requesting origin, timestamp, and outcome, so you can spot misconfigurations or suspicious activity quickly.
Get started
Secure your workspace today
Generate your first API key, register an OAuth client, or add a CORS origin — all from the security settings page. Changes take effect instantly, and every action is logged for compliance.
If you need help configuring signature verification in your language of choice, check the code examples in the docs: Python, Node.js, Go, and Ruby snippets are available with copy-paste-ready implementations.
Read the security docs Open security settings