# Security and Verification

Webhook endpoints often deal with sensitive or privileged data. To help protect your systems and ensure authenticity, UseStencil provides multiple options to secure webhook deliveries:

1. ✅ Custom Headers
2. ✅ User-Defined Fields

## Customer Header (Simple Auth)

When configuring a webhook, you can include custom headers such as an API key or token for simple verification.

**Example configuration**

```
{
"Authorization": "Bearer abc123",
"X-Origin": "usestencil"
}
```

**Resulting HTTP request:**

```
POST /webhooks/receive HTTP/1.1
Content-Type: application/json
Authorization: Bearer abc123
X-Origin: usestencil
```

**How to Use:**

* Your backend should validate the presence and correctness of the token or header.
* Best for quick or internal-only setups (e.g. test environments).

## `user_defined` data (Optional Field-based auth)

You can supply key-value pairs under user-defined during webhook setup. These will appear inside the payload body — useful if your verification logic depends on data inside the request.

**Example Configuration:**

```
{
"auth_token": "stencil_secret_xyz"
}
```

**Payload Example:**

<pre><code><strong>"user_defined": {
</strong>  "auth_token": "stencil_secret_xyz"
}
</code></pre>

**How to Use:**

* Validate `user_defined.auth_token` on the receiving server.
* Useful for services that require in-body verification (e.g., Lambda triggers or low-code tools).

## Additional Best Practices

* ✅ Always use HTTPS for your receiving endpoint
* ✅ Rotate your webhook secrets periodically
* ✅ Log and monitor webhook activity and failures
* ✅ Reject requests missing the X-UseStencil-Signature header (if secret is defined)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.usestencil.com/integrations/webhook-integration/security-and-verification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.