What level of security are you looking for here? So that the receiver can verify the authenticity of the webhooks?

@bryanhelmig yes, so the receiver can say "when you talk to me, use this auth token so I can trust you". The flip side to increasing trust requirements is being able to easily discard anything that doesn't auth, reducing processing.

Pretty interesting. I'm not sure I'd advocate adding a column for that though.

Consider an alternative - a shared secret combined with hmac hashing could accomplish the same thing without needing to store extra state per subscription.

The secret could be your API key or even a static value you share with trusted partners. Not sure your requirements. Take a look at Mailgun - they do something like this.

Thanks for the counter suggestion, it's an interesting one. I'll have a look at the implementation and document and share the setup if it works for us.

Awesome! I'd be down to see some utilities added here or at least documentation if you get something working.

@imsickofmaps did you get anything working for authentication? please let us know.

Thanks in advance

@pk026 we used a solution like this in the end which re-used the auth token: https://gist.github.com/imsickofmaps/09dcb8c4aa37ed5057ce6c190d19b0ae

I recommend signing though as a better, more scaleable, solution. Check https://documentation.mailgun.com/user_manual.html?highlight=hmac#webhooks for ideas.