# Security and Verification

Webhook endpoints often deal with sensitive or privileged data. To help protect your systems and ensure authenticity, UseStencil provides multiple options to secure webhook deliveries:

1. ✅ Custom Headers
2. ✅ User-Defined Fields

## Customer Header (Simple Auth)

When configuring a webhook, you can include custom headers such as an API key or token for simple verification.

**Example configuration**

```
{
"Authorization": "Bearer abc123",
"X-Origin": "usestencil"
}
```

**Resulting HTTP request:**

```
POST /webhooks/receive HTTP/1.1
Content-Type: application/json
Authorization: Bearer abc123
X-Origin: usestencil
```

**How to Use:**

* Your backend should validate the presence and correctness of the token or header.
* Best for quick or internal-only setups (e.g. test environments).

## `user_defined` data (Optional Field-based auth)

You can supply key-value pairs under user-defined during webhook setup. These will appear inside the payload body — useful if your verification logic depends on data inside the request.

**Example Configuration:**

```
{
"auth_token": "stencil_secret_xyz"
}
```

**Payload Example:**

<pre><code><strong>"user_defined": {
</strong>  "auth_token": "stencil_secret_xyz"
}
</code></pre>

**How to Use:**

* Validate `user_defined.auth_token` on the receiving server.
* Useful for services that require in-body verification (e.g., Lambda triggers or low-code tools).

## Additional Best Practices

* ✅ Always use HTTPS for your receiving endpoint
* ✅ Rotate your webhook secrets periodically
* ✅ Log and monitor webhook activity and failures
* ✅ Reject requests missing the X-UseStencil-Signature header (if secret is defined)