Verify Webhook
Overview
The Verify Webhook Traffic Policy action enables you to validate incoming webhook signatures against a known secret to ensure authenticity. Depending on the verification result, it either forwards the request to the next action or rejects it, safeguarding your endpoints from unauthorized or tampered webhooks.
Configuration Reference
This is the Traffic Policy configuration reference for this action.
Action Type
verify-webhook
Configuration Fields
| Parameter | Type | Description |
|---|---|---|
provider | string | Required. The name of the provider to verify webhook requests from. Value must match a supported provider. |
secret | string | The secret key used to validate webhook requests from the specified provider. |
enforce | bool | Default true. If false, continue to the next action even if the request is not allowed. |
Supported Directions
on-http-request
Supported Schemes
httpshttp
Behavior
The verify-webhook action ensures the authenticity of incoming webhook requests by validating their signatures against a known secret. Upon receiving a request, the action performs the signature verification. If verification succeeds, the request proceeds through the action chain. If it fails, the request is terminated with a 403 Forbidden response, unless enforce is set to false, in which case the request proceeds without termination.
Verification Process
- Signature Validation: The action validates incoming webhook signature to confirm the request originates from the configured provider and that the payload has not been tampered with.
- Request Handling: If the webhook verification is successful, the request is forwarded to the next action. If the verification fails, the request chain is terminated with a
403response. - Configurable Enforcement: By default, verification failures result in termination. However, setting
enforce: falseallows unverified requests to proceed, while logging the verification result. This option is useful for debugging, testing, and crafting your own custom responses with action result variables.
Endpoint Verification
Some webhook providers require an initial endpoint verification challenge to validate that your application is legitimate before sending webhook events. The verify-webhook action automatically handles endpoint verification challenges for supported providers.
- Supported providers:
- Worldline
- Xero
- Zoom
Replay Prevention with Timestamp Tolerance
To prevent replay attacks, ngrok verifies that the webhook’s timestamp falls within an acceptable range.
Secret Handling and Encryption
All secrets used for webhook verification are encrypted at config validation. When ngrok processes a requests the secret is decrypted.
Supported Providers
Currently, these integration guides refer to modules.
| Provider | Provider Identifier | Integration Guide |
|---|---|---|
| AfterShip | aftership | Documentation |
| Airship | airship | Documentation |
| Alchemy | alchemy | Documentation |
| Amazon SNS | sns | Documentation |
| Autodesk Platform Services | autodesk | Documentation |
| Bitbucket | bitbucket | Documentation |
| Bolt | bolt | Documentation |
| Box | box | Documentation |
| Brex | brex | Documentation |
| Buildkite | buildkite | Documentation |
| Calendly | calendly | Documentation |
| Castle | castle | Documentation |
| Chargify | chargify | Documentation |
| CircleCI | circleci | Documentation |
| Clearbit | clearbit | Documentation |
| Clerk | clerk | Documentation |
| Coinbase | coinbase | Documentation |
| Contentful | contentful | Documentation |
| DocuSign | docusign | Documentation |
| Dropbox | dropbox | Documentation |
| Facebook Graph API | facebook_graph_api | Documentation |
| Facebook Messenger | facebook_messenger | Documentation |
| Frame.io | frameio | Documentation |
| GitHub | github | Documentation |
| GitLab | gitlab | Documentation |
| Go1 | go1 | Documentation |
| Heroku | heroku | Documentation |
| Hosted Hooks | hostedhooks | Documentation |
| HubsSpot | hubspot | Documentation |
| Hygraph (Formerly GraphCMS) | graphcms | Documentation |
instagram | Documentation | |
| Intercom | intercom | Documentation |
| Launch Darkly | launch_darkly | Documentation |
| Mailchimp | mailchimp | Documentation |
| Mailgun | mailgun | Documentation |
| Microsoft Teams | microsoft_teams | Documentation |
| Modern Treasury | modern_treasury | Documentation |
| MongoDB | mongodb | Documentation |
| Mux | mux | Documentation |
| Orb | orb | Documentation |
| Orbit | orbit | Documentation |
| PagerDuty | pagerduty | Documentation |
| Pinwheel | pinwheel | Documentation |
| Plivo | plivo | Documentation |
| Pusher | pusher | Documentation |
| SendGrid | sendgrid | Documentation |
| Sentry | sentry | Documentation |
| Shopify | shopify | Documentation |
| Signal Sciences | signal_sciences | Documentation |
| Slack | slack | Documentation |
| Sonatype Nexus | sonatype | Documentation |
| Square | square | Documentation |
| Stripe | stripe | Documentation |
| Svix | svix | Documentation |
| Terraform | terraform | Documentation |
| TikTok | tiktok | Documentation |
| Trend Micro Conformity | trendmicro_conformity | Documentation |
| Twilio | twilio | Documentation |
twitter | Documentation | |
| Typeform | typeform | Documentation |
| VMware Workspace | vmware | Documentation |
| Webex | webex | Documentation |
whatsapp | Documentation | |
| Worldline | worldline | Documentation |
| Xero | xero | Documentation |
| Zendesk | zendesk | Documentation |
| Zoom | zoom | Documentation |
Examples
Basic Example
This example configuration sets up an endpoint (gitlab-webhook-example.ngrok.io) that receives webhook requests from GitLab. The Verify Webhook action checks the authenticity of the request using a shared secret. If the request is verified, a custom response is sent back with a status 200 OK and a plain text confirmation message.
Example Traffic Policy Document
- YAML
- JSON
---
on_http_request:
- actions:
- type: "verify-webhook"
config:
provider: "gitlab"
secret: "secret!"
- type: "custom-response"
config:
status_code: 200
headers:
content-type: "text/plain"
content: "GitLab webhook verified"
{
"on_http_request": [
{
"actions": [
{
"type": "verify-webhook",
"config": {
"provider": "gitlab",
"secret": "secret!"
}
},
{
"type": "custom-response",
"config": {
"status_code": 200,
"headers": {
"content-type": "text/plain"
},
"content": "GitLab webhook verified"
}
}
]
}
]
}
Start Endpoint with Traffic Policy
ngrok http 8080 --url gitlab-webhook-example.ngrok.io --traffic-policy-file /path/to/policy.yml
$ curl --location --request POST 'https://gitlab-webhook-example.ngrok.io/' \
--header 'X-Gitlab-Token: secret!'
> POST / HTTP/2
> Host: gitlab-webhook-example.ngrok.io
> User-Agent: curl/[version]
> Accept: */*
> X-Gitlab-Token: secret!
...
This request will first be processed by the Verify Webhook action. If the GitLab webhook verification is successful, ngrok will return a 200 OK response with the message GitLab webhook verified.
HTTP/2 200 OK
content-type: text/plain
GitLab webhook verified
Action Result Variables
The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.
| Name | Type | Description |
|---|---|---|
actions.ngrok.verify_webhook.verified | bool | Indicates whether or not the request was successfully verified. |
actions.ngrok.verify_webhook.error.code | string | Code for an error that occurred during the invocation of an action. |
actions.ngrok.verify_webhook.error.message | string | Message for an error that occurred during the invocation of an action. |