Dynamically Signing Webhook Requests

What is the best way for an external backend to verify that requests sent by a Particle webhook do indeed come from Particle? I saw when setting up a webhook that you could include auth credentials, but it doesn't seem ideal to include the same credentials with every request. Is there some way to input a private key to Particle and use that secret to dynamically sign requests, including the signature as a header?

From a webhook template we recommend using a static authenticator. Since you're presumably using TLS/SSL, the risk is low. The webhook configuration only lives in the Particle cloud, not on devices.

Using Logic you could dynamically generate keys.

1 Like

How would you pass the dynamically generated key to the webhook to add to the header?

You can use Mustache variables in the webhook templates for additional headers, such as Authorization. The best way to do this with logic is have your logic block trigger a webhook using a JSON payload. Your eventual destination doesn't need to be JSON, you just need the JSON so you can include your dynamic key along with the content.

Also note that between logic and the webhook you are not limited to 1024 bytes so you can include long authorization keys along with the full publish size from the device.

1 Like