Issue with Webhook Secret and Authentication Mechanism

Kms

I have configured a webhook for an alert and was able to pass a secret while setting it up. However, I am receiving the webhook API calls even without the secret being validated, and I am unable to see the secret anywhere in the request headers or body.

Could you clarify where the secret is being passed, or if there's a specific way to verify it within the request?

Additionally, is there any way to authenticate the webhook request using client credentials, similar to how client credential-based authentication works in other APIs?

NemishTambatkasar

@Kms

Thanks for reaching out to our community forum.

 The secret you configured for your Domo webhook is primarily used for security purposes. It acts as a verification mechanism to ensure that the incoming webhook request originates from Domo and hasn't been tampered with. Due to security reasons, it's typically not visible.

 The method of how the secret is passed and validated can vary depending on the webhook provider and your specific configuration.

 If you need further assistance, please create a support case and provide the following details:

 1) Webhook provider: Which service or platform are you using?

2) Webhook configuration: How did you set up the webhook in Domo?

3) Request inspection: Share the request headers and body.

 Please note that authenticating the webhook request using client credentials is not currently supported.

 Let us know if you have any other questions.

Kms

Thanks @NemishTambatkasar.

I have one last question on how I can ensure that the incoming webhook request originates from Domo using the secret. I understand the purpose of it, but even after passing the secret, I am receiving the message as it is in the webhook receiver service without performing any authentication step.

I am using the webhook from the Alert creation step as mentioned in this document's "attach an action" section and have a C# API to consume that webhook.