Listening to a webhook exposes the webhook endpoint to the web, allowing anyone to call it, and potentially giving opportunity for security breaches. That’s why each webhook is secured with a verification token and signing secret. The above mentioned information are included in the header of the request, allowing you to verify that the webhook is sent by Survicate.

Verification token and signing secret can be found in Survicate integration settings panel. Each token can be regenerated in webhook settings.

Verification token

Each webhook includes a verification token in Token header. Token provides basic security by confirming that webhook comes from Survicate. Be noted that token is sent as plain text. This security method can be compromised i.e. by MITM attack.

Signing secret

Each webhook request is signed with signing secret. You can find webhook body signature in Hmac header that is generated by HMAC-SHA256 using signing secret. This is recommended security method.

Events →