Webhook verification

Question asked through support

I have been working over pipedrive different entities. Have also configured the proper webhooks. But i was wondering if there is something like verifying webhooks, that we can use to verify our request for example as shopify provides to verify the requests. https://help.shopify.com/api/tutorials/webhooks#verify-webhook

Whereas, in the response of your webhooks there is no such thing of api token etc which we can make use of.

No, at this time Pipedrive doesn’t offer any tokens or digital signatures for the webhooks, but it’s a good suggestion. Thanks for the feedback!

It is absolutely needed @David as it is possible for anyone to spam my webhook and corrupts my data, which could be very painful to eliminate.

Indeed, is it not that hard to find the endpoint as it has often a basic structure (webhook/pipedrive or webhooks/pipedrive), and after that you can easily spam and corrupts other people’s data.

Mailgun does the same and I am pretty sure that it is not hard to implement on your side and it is still non-mandatory for users to verify webhooks.

What is the current status regarding validating webhooks?

Hi! We currently do not offer any signing options. A possible workaround is to protect your endpoint with http basic auth (see available options for creating a webhook)

This would be nice. However what if you just obfuscate your endpoint. Of course I know “obscurity is not security” but that’s a good temporary alternative. Most spam bots will just hit the domain and any publically availible pages inside the robots.txt or sitemap.xml. I haven’t seen many bots target pipedrive webhook endpoint urls.

You can add a random ?somevar=somehash (check that hash against the variable in your request) that makes it almost impossible for a bot to guess unless your URLs get leaked somehow, which is even worse.