Apify

Apify and Crawlee Official Forum

Updated 4 months ago

Webhook security

OOmar Abdelkader
ยท
Hello, I am interested in setting a webhook to receive events when a particular actor run has succeeded. However, I want to be able to secure my endpoint to ensure that only Apify can invoke it.

I found an earlier post from June suggesting that this isn't possible but the Apify documentation suggests otherwise:
https://discord.com/channels/801163717915574323/1115873908046966864

The documentation says to do the following:
https://docs.apify.com/platform/integrations/webhooks/actions
Plain Text
For safety reasons, the webhook URL should contain a secret token to ensure only Apify can invoke it.


However, I am unsure of what this means. Does anyone have any advice? For additional context, I am using AWS API Gateway.
P
O
L
4 comments
PPepa J
Hi I think it is related to implementing URL parameter on your endpoint, so they would work as https://my.api.com/entity/add?token=__VERY_SECRET_TOKEN__
but it wouldn't work as https://my.api.com/entity/add
OOmar Abdelkader
Thanks for the repsonse and sorry for the delay at my end. How would I configure Apify to automatically include this query parameter in the webhook request?

I know how to parse it and verify if it is identical to my secret server-side but I am not currently receiving any value from Apify
OOmar Abdelkader
Oh -- I think I understand now. So you're saying I should hard-code the ?token=__VERY_SECRET_TOKEN value into value for the webhook endpoint in Apify. Then, I can parse the query parameters and verify it server-side. Is that correct?
LLukas Krivka
yes
Add a reply
Sign up and join the conversation on Discord