Security and Verification

Webhook endpoints often deal with sensitive or privileged data. To help protect your systems and ensure authenticity, UseStencil provides multiple options to secure webhook deliveries:

✅ Custom Headers
✅ User-Defined Fields

Customer Header (Simple Auth)

When configuring a webhook, you can include custom headers such as an API key or token for simple verification.

Example configuration

{
"Authorization": "Bearer abc123",
"X-Origin": "usestencil"
}

Resulting HTTP request:

POST /webhooks/receive HTTP/1.1
Content-Type: application/json
Authorization: Bearer abc123
X-Origin: usestencil

How to Use:

Your backend should validate the presence and correctness of the token or header.
Best for quick or internal-only setups (e.g. test environments).

`user_defined` data (Optional Field-based auth)

You can supply key-value pairs under user-defined during webhook setup. These will appear inside the payload body — useful if your verification logic depends on data inside the request.

Example Configuration:

{
"auth_token": "stencil_secret_xyz"
}

Payload Example:

"user_defined": {
  "auth_token": "stencil_secret_xyz"
}

How to Use:

Validate user_defined.auth_token on the receiving server.
Useful for services that require in-body verification (e.g., Lambda triggers or low-code tools).

Additional Best Practices

✅ Always use HTTPS for your receiving endpoint
✅ Rotate your webhook secrets periodically
✅ Log and monitor webhook activity and failures
✅ Reject requests missing the X-UseStencil-Signature header (if secret is defined)

PreviousPayload Structure NextError Handling & Retries

Last updated 7 months ago

hashtagCustomer Header (Simple Auth)

hashtaguser_defined data (Optional Field-based auth)

hashtagAdditional Best Practices

Customer Header (Simple Auth)

`user_defined` data (Optional Field-based auth)

Additional Best Practices