Skip to main content

Verify Webhook

Overview

The Verify Webhook Traffic Policy action enables you to validate incoming webhook signatures against a known secret to ensure authenticity. Depending on the verification result, it either forwards the request to the next action or rejects it, safeguarding your endpoints from unauthorized or tampered webhooks.

Configuration Reference

This is the Traffic Policy configuration reference for this action.

Supported Directions

  • on-http-request

Type

verify-webhook

Configuration Fields

  • providerstringRequired

    The name of the provider to verify webhook requests from.

    Value must be a supported provider identifier.

  • secretstringRequired

    The secret key used to validate webhook requests from the specified provider.

  • enforcebool

    When true, the request will be halted if the webhook is not valid and no further actions will run. However when false, subsequent actions will run even if the webhook was not valid.

    Default true.

Behavior

The verify-webhook action ensures the authenticity of incoming webhook requests by validating their signatures against a known secret. Upon receiving a request, the action performs the signature verification. If verification succeeds, the request proceeds through the action chain. If it fails, the request is terminated with a 403 Forbidden response, unless enforce is set to false, in which case the request proceeds without termination.

Verification Process

  • Signature Validation: The action validates incoming webhook signature to confirm the request originates from the configured provider and that the payload has not been tampered with.
  • Request Handling: If the webhook verification is successful, the request is forwarded to the next action. If the verification fails, the request chain is terminated with a 403 response.
  • Configurable Enforcement: By default, verification failures result in termination. However, setting enforce: false allows unverified requests to proceed, while logging the verification result. This option is useful for debugging, testing, and crafting your own custom responses with action result variables.

Endpoint Verification

Some webhook providers require an initial endpoint verification challenge to validate that your application is legitimate before sending webhook events. The verify-webhook action automatically handles endpoint verification challenges for supported providers.

  • Supported providers:
    • Twitter
    • Worldline
    • Xero
    • Zoom

Replay Prevention with Timestamp Tolerance

To prevent replay attacks, ngrok verifies that the webhook’s timestamp falls within an acceptable range.

Secret Handling and Encryption

All secrets used for webhook verification are encrypted at config validation. When ngrok processes a requests the secret is decrypted.

Supported Providers

Currently, these integration guides refer to modules.

ProviderProvider IdentifierIntegration Guide
AfterShipaftershipDocumentation
AirshipairshipDocumentation
AlchemyalchemyDocumentation
Amazon SNSsnsDocumentation
Autodesk Platform ServicesautodeskDocumentation
BitbucketbitbucketDocumentation
BoltboltDocumentation
BoxboxDocumentation
BrexbrexDocumentation
BuildkitebuildkiteDocumentation
CalendlycalendlyDocumentation
CastlecastleDocumentation
ChargifychargifyDocumentation
CircleCIcircleciDocumentation
ClearbitclearbitDocumentation
ClerkclerkDocumentation
CoinbasecoinbaseDocumentation
ContentfulcontentfulDocumentation
DocuSigndocusignDocumentation
DropboxdropboxDocumentation
Facebook Graph APIfacebook_graph_apiDocumentation
Facebook Messengerfacebook_messengerDocumentation
Frame.ioframeioDocumentation
GitHubgithubDocumentation
GitLabgitlabDocumentation
Go1go1Documentation
HerokuherokuDocumentation
Hosted HookshostedhooksDocumentation
HubsSpothubspotDocumentation
Hygraph (Formerly GraphCMS)graphcmsDocumentation
InstagraminstagramDocumentation
IntercomintercomDocumentation
Launch Darklylaunch_darklyDocumentation
MailchimpmailchimpDocumentation
MailgunmailgunDocumentation
Microsoft Teamsmicrosoft_teamsDocumentation
Modern Treasurymodern_treasuryDocumentation
MongoDBmongodbDocumentation
MuxmuxDocumentation
OrborbDocumentation
OrbitorbitDocumentation
PagerDutypagerdutyDocumentation
PinwheelpinwheelDocumentation
PlivoplivoDocumentation
PusherpusherDocumentation
SendGridsendgridDocumentation
SentrysentryDocumentation
ShopifyshopifyDocumentation
Signal Sciencessignal_sciencesDocumentation
SlackslackDocumentation
Sonatype NexussonatypeDocumentation
SquaresquareDocumentation
StripestripeDocumentation
SvixsvixDocumentation
TerraformterraformDocumentation
TikToktiktokDocumentation
Trend Micro Conformitytrendmicro_conformityDocumentation
TwiliotwilioDocumentation
TwittertwitterDocumentation
TypeformtypeformDocumentation
VMware WorkspacevmwareDocumentation
WebexwebexDocumentation
WhatsAppwhatsappDocumentation
WorldlineworldlineDocumentation
XeroxeroDocumentation
ZendeskzendeskDocumentation
ZoomzoomDocumentation

Examples

Basic Example

This example configuration sets up an endpoint (gitlab-webhook-example.ngrok.io) that receives webhook requests from GitLab. The Verify Webhook action checks the authenticity of the request using a shared secret. If the request is verified, a custom response is sent back with a status 200 OK and a plain text confirmation message.

Example Traffic Policy Document

---
on_http_request:
- actions:
- type: verify-webhook
config:
provider: gitlab
secret: secret!
- type: custom-response
config:
status_code: 200
headers:
content-type: text/plain
content: GitLab webhook verified

Start Endpoint with Traffic Policy

ngrok http 8080 --url gitlab-webhook-example.ngrok.io --traffic-policy-file /path/to/policy.yml
$ curl --location --request POST 'https://gitlab-webhook-example.ngrok.io/' \
--header 'X-Gitlab-Token: secret!'
> POST / HTTP/2
> Host: gitlab-webhook-example.ngrok.io
> User-Agent: curl/[version]
> Accept: */*
> X-Gitlab-Token: secret!
...

This request will first be processed by the Verify Webhook action. If the GitLab webhook verification is successful, ngrok will return a 200 OK response with the message GitLab webhook verified.

HTTP/2 200 OK
content-type: text/plain
GitLab webhook verified

Action Result Variables

The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.

  • actions.ngrok.verify_webhook.verifiedbool

    Indicates whether or not the request was successfully verified.

  • actions.ngrok.verify_webhook.error.codestring

    Code for an error that occurred during the invocation of an action.

  • actions.ngrok.verify_webhook.error.messagestring

    Message for an error that occurred during the invocation of an action.