Link Search Menu Expand Document


Listening to a webhook exposes the webhook endpoint to the web, allowing anyone to call it, and potentially giving opportunity for security breaches. That’s why each webhook is secured with a verification token and signing secret. The above mentioned information are included in the header of the request, allowing you to verify that the webhook is sent by Survicate.

Verification token and signing secret can be found in Survicate integration settings panel. Each token can be regenerated in webhook settings.

Verification token

Each webhook includes a verification token in Token header. Token provides basic security by confirming that webhook comes from Survicate. Be noted that token is sent as plain text. This security method can be compromised i.e. by MITM attack.

Signing secret

Each webhook request is signed with signing secret. You can find webhook body signature in Hmac header that is generated by HMAC-SHA256 using signing secret. This is recommended security method.

Events →

👋 If you bump into any problems or need more support, just start a conversation using Intercom in the bottom-right corner and you will be immediately routed to our Customer Support Engineers.