Skip to main content
Webhooks are powerful because they let Pocketsflow talk directly to your systems. They must be secured so that only genuine requests are processed.

Webhook signing secrets

When you configure a webhook endpoint in Pocketsflow:
  • You will receive (or set) a signing secret.
  • Pocketsflow uses this secret to sign outgoing webhook requests.
You should:
  • Store the secret securely (for example, as an environment variable).
  • Never share it publicly or commit it to version control.

Verifying signatures

The exact algorithm and header names may evolve, but the general pattern is:
  1. Pocketsflow calculates a signature using:
    • The request body.
    • A timestamp.
    • Your shared secret.
  2. The signature is sent in an HTTP header (for example, X-Pocketsflow-Signature).
  3. Your server:
    • Recalculates the expected signature using the same inputs.
    • Compares it to the header value in a time-safe way.
If the signatures don’t match, you should reject the request.

Additional defenses

Best practices for webhook security include:
  • Validating the Content-Type and payload shape before processing.
  • Enforcing reasonable time windows on timestamps in the signature header.
  • Using HTTPS endpoints with valid certificates.
  • Limiting which IP ranges can reach your webhook, if feasible.
Never expose sensitive internal services directly to the public internet without a layer that can validate and filter requests.

Handling secrets safely

Use your stack’s standard tools for managing secrets:
  • Environment variables.
  • Secret managers (for example, components of your cloud provider).
Rotate secrets if:
  • You suspect they have been exposed.
  • You change ownership of infrastructure.