Hi,
How do you secure your API. I’m working with voice flow to make chat bots and connect it with make.com. How do I secure the API’s before I handle it to the client, because I heard that if you don’t secure it that it can be leaked.
Thank you.
Hello,
Security is really important!
Nice that you’re asking.
Please tell us a little bit more as this is very complex to cover in general.
Are you referring to API webhooks and securing them so unauthorized calls won’t trigger software, or do you have API keys in mind?
Whatever you do - treat your keys with the highest caution. Anyone who gets them can use your apps. That’s something some “vibe-coders” forget and put tokens in the front-end. The results can be very bad.
Hi! Thanks for your reply.
I’m referring specifically to securing Make webhooks.
My setup is:
-
A Voiceflow chatbot sends user input to Make via a webhook URL.
-
Make processes the data and performs actions (like sending emails, storing data, etc.).
-
I will give the chatbot link to a client, so the webhook might be reachable from the public internet.
I want to make sure that:
-
Only Voiceflow can trigger the webhook
-
No one else can spam or trigger the scenario by calling the webhook URL directly
-
I don’t expose any API keys in the front-end
What is the recommended way to secure a Make webhook in this case?
Hi, thanks!
So in Voiceflow you can set up custom headers. Use Make.com’s native x-make-apikey authorization method.
Setup in Make:
Setup in Voiceflow:
Agent tools:
Agent action:
Disclaimer- always use your agent “Secrets” vault as described below- never add your tokens as I did for educational purpose
Because it’s Make.com’s native function, you don’t have to bother with additional setup- as long as your token remains secure, each call without the proper header gets rejected and doesn’t trigger the scenario.
The header should be controlled by Voiceflow and should be impossible to see from the frontend or browser console.
With this, you’ll have a more secure setup than 99% of YouTube gurus 
Next, you can set up the maximum number of runs per minute:
Lastly - you can contact Voiceflow support and ask for a list of their IPs used for outbound calls. I don’t know if they’ll provide it for you - if they do, use this setting in Make and validate IPs before processing the request. If they don’t match, set up an alert.
webhook–>edit–>toogle on Advanced settings:
What else you can do? In backend try to build some kind of logging mechanism- each abnormal usage should force you to check settings and refresh token.
I see that there is also a user-agent header. I cannot guarantee it will be sent with every Voiceflow call- I tested it out with a simple block call - but as an extra layer of protection, you can set up a route if it does not start with “Voiceflow”. In case the webhook address gets leaked, you can take action.
Test it out before implementing for every chat trigger you are planning to use
Make, compared to, for example self-hosted N8N, handles DDoS protection and other extremely important tasks for you. So as long as you know what you are doing and do not expose anything publicly, you are pretty secure.
Most importantly, the user is always the biggest security risk. Unless necessary, limit access to Voiceflow and Make settings and do not share this with your client.