When you set up a webhook in our Engagement Builder, you are instructing our system to automatically send data to your server whenever a specific event occurs, like the end of a phone call or another event. Because endpoints are exposed to the internet, it is crucial to verify that incoming webhook requests are genuinely from us and not from malicious actors.

To ensure your data remains secure, we support three primary methods for webhook authentication: Authorization Headers (Basic Authentication), OAuth2, and selected Third Party integrations.

 

Authorization Header

Basic Authentication is one of the simplest and most common ways to secure a webhook endpoint. It relies on a standard HTTP header to pass credentials with every request.

You can combine a user and a password for your endpoint as user:password and encode it in Base64. Once you have your header you can add it directly in our Engagement Builder in the Authorization Header section in the Delivery Method (when building your Webhook).

• Security Note: Because Base64 encoding is easily reversed, it does not encrypt your credentials. Therefore, Basic Authentication must only be used over a secure HTTPS connection (SSL/TLS). HTTPS encrypts the entire request, keeping your encoded credentials safe from interception.

Oauth2

OAuth2 is a modern, highly secure industry standard for authorization. Instead of sending your actual username and password with every single webhook request, OAuth2 relies on temporary, secure access tokens.

You can add the necessary details for your OAuth client in our Settings page in your account. 

You would need:

• OAuth Client name: The name you want to give to this specific client
• Client ID: the public unique identifier
• Client Secret: the secret or password known only to the authentication server
• Authentication Endpoint: the URL that you use to make OAuth authorization requests to receive an access token
• Scope: the scopes connected to the access token 
• Token Path: you can set your own path here for your authentication endpoint or use the default /oauth2/token
• Authorization Method: default method is Header

Once the Oauth2 client has been created, you can simply select it in the Authentication methods in the Delivery Method when creating your webhook in the Engagement Builder, and we wil retrieve a token using the client in Settings. 

Third Party integrations

We can currently send Webhooks to some third party solutions such as Salesforce and Contentsquare, you can read each dedicated article to understand how to set up these integrations and use them as Authentication for your webhook.

As always, any questions let us know!