Webhook Verification
It is important to verify that incoming webhook requests genuinely originate from Mobiledock and have not been tampered with.
Using custom headers
Section titled “Using custom headers”The primary method for verifying webhooks is through custom headers. When configuring a webhook, you can set headers that Mobiledock includes with every webhook delivery.
Shared secret pattern
Section titled “Shared secret pattern”A common approach is to set a secret value as a custom header and check it on your server:
-
In the Integration Hub, add a custom header to your webhook:
- Header:
x-webhook-secret - Value: a long, random string (e.g.
sk_whk_a1b2c3d4e5f6...)
- Header:
-
On your server, reject any request that doesn’t include the correct secret:
app.post('/webhooks/mobiledock', (req, res) => { const secret = req.headers['x-webhook-secret'];
if (secret !== process.env.MOBILEDOCK_WEBHOOK_SECRET) { return res.status(401).send('Unauthorized'); }
// Process the webhook const payload = req.body; // ...
res.status(200).send('OK');});Authorization header
Section titled “Authorization header”You can also set an Authorization header on the webhook, which does not require the x- prefix:
- Header:
Authorization - Value:
Bearer your-secret-token
Best practices
Section titled “Best practices”- Use a strong, randomly generated secret (at least 32 characters)
- Store the secret in an environment variable, not in source code
- Use constant-time comparison to prevent timing attacks
- Respond with
200promptly — process the payload asynchronously if needed