Webhook authentication and security

Tabata Vossen -

Qualifio's webhooks offers some optional security measures that can be implemented when setting up the webhook. These measures increase the security of your webhook event data and ensure that the data delivered originates from Qualifio.

Webhook security

SSL (HTTPS)

The first step you should take to secure your webhook is to ensure that you are using HTTPS for your endpoint. Secure Socket Layer (SSL) is a cryptographic protocol that provides communications security over a computer network. If your webhook endpoint supports SSL, then you can prefix your endpoint URL with “https://“.

IP whitelisting

It is also possible to whitelist the IP addresses from which you will get the webhook callback. All Qualifio webhook requests originate from a static set of IP addresses:

  • 51.77.77.250/32
  • 87.98.150.91/32
  • 87.98.166.29/32
  • 145.239.24.139/32
  • 178.33.197.209/32

Webhook authentication setup

Webhook 2.0 only

Webhooks require that your notification URL is accessible to Qualifio’s systems. However, we realise that you might not want this URL publicly accessible, for security reasons.

This is why you can choose to authenticate the notifications using the webhook header, in which case you should enter the name (key) and value.

Screenshot_2021-01-19_at_16.07.38.png

These credentials will be sent together with the webhook notification, allowing you to verify that incoming requests originate from Qualifio.

Once you’ve decided to add authentication to your webhook, you can follow one of our configuration examples:

Note: Each header line must specify the header name, followed by a colon (:), followed by the header value. The header name and the header value can be specified in Qualifio. Those will be automatically joined by a colon. The colon is always present – you don't need to write it down.

Bearer authentication

Authorization: Bearer <token>

Screenshot_2021-02-26_at_10.55.28.png

Basic authentication

Authorization: Basic <token>

Screenshot_2021-02-26_at_10.56.43.png

Other examples

  • X-Authorization: ...
X-Authorization: <token>

Screenshot_2021-02-26_at_10.57.47.png

  • X-Api-Token: ...
X-Api-Token: <token>

Screenshot_2021-02-26_at_10.58.56.png

  • X-Auth-Token: ...
X-Auth-Token: <token>

Screenshot_2021-02-26_at_10.59.45.png

Use something we don’t have on this list? Let us know, and we’ll try and point you in the right direction.

Need some help?

We all do sometimes. Get help now from our support team.