Securing webhooks

Enhance webhook data security by either marking the webhook as private or setting an authentication method for it.

Private webhook

All webhooks are public by default. Enable Private Webhook to mark an individual webhook as private.

When a webhook is marked as private, it cannot be accessed over a public network. It can be accessed by using webMethods API Gateway

When you enable Private Webhook, you see two unique URLs.
Internal url
An internal endpoint is accessible only from webMethods network. Click the Copy icon to view and copy the URL details.
Note: The Internal url domain is subject to change. To help ensure accuracy, verify the URL through the user interface.
Private url
A private endpoint is used when a private network is configured. Access is limited exclusively to your private network to prevent any outside access, which includes your network or webMethods applications within your tenant. Click the Copy icon to view and copy the URL details.
Note: Support for domains with -internal is deprecated, so you must reconfigure the alias in IBM® webMethods API Gateway. To do so, use the Internal URL provided on the webhook configuration page after the private webhook is enabled.

Webhook authentication

You can set an authentication method for your webhooks to enhance security.

None: Select None, if you do not want to set an authentication method for your webhook.

Tenant credentials: Select Tenant credentials if you want the users to provide tenant credentials when they send the workflow execution request.

Webhook key: Select Webhook key if you want to generate a secret webhook key that users must provide in headers as webhook_key when they send the workflow execution request. To generate a secret webhook key, click Generate Token.

Autoconnect return sync on webhook

You can enable the Autoconnect Return Sync on Webhook to automatically attach it as the last action of your workflow. This action fetches the workflow output and sends it back to the webhook. For more information, see Using the Return Data on Sync Webhook action.

Note:
  • When you enable Return Data on Sync Webhook for your webhook, it expects a response within 180 seconds after the event is triggered. If the response is not received within the specified period, the 408 Request Timeout error appears. The error means that the server chooses to end the connection rather than continue waiting for the response.
  • However, if you use any other web browsers, like Google Chrome, Microsoft Edge, other than Mozilla Firefox, you can observe automatic retries that are done by the browser before getting the 408 Request Timeout error. The browsers automatically make multiple requests to get a response, and hence, you need to wait for more than 180 seconds before you see the 408 Request Timeout error.
  • If you are use services that can send an HTTP request, and the response is not received within 180 seconds, the 408 Request Timeout error appears soon after the timeout duration.