How to authenticate an incoming Webhook (Basic Auth)

Showcase
, ,
1

I needed to use basic authentication to call Make webhooks and couldn’t find a quick answer to this so I thought I would document how I’ve done this. Hopefully this helps someone else, and of course if you have suggestions to improve this, then please do share!

Screenshot

Screenshot Webhook Basic Authentication
Screenshot Webhook Basic Authentication2003×947 92.9 KB

How to use this
Any 3rd party that passes a username + password for basic authentication can call this webhook.
If the username + password are correct the Webhook Response: Okay (200) path is executed, otherwise the 3rd party receives an Unauthorised (401) response and you can deal with the error however you need to.

How does the scenario it work?
The incoming webhook is configured to pass through the headers.

Screenshot 2025-05-26 204500
Screenshot 2025-05-26 204500558×883 64.6 KB

This contains a header named authorization and a value which is an encoded version of the username + password that the 3rd party sent.

Screenshot 2025-05-26 205130
Screenshot 2025-05-26 205130889×1284 71.7 KB

All we need to do now is compare that authorization value to what it should be!

In my scenario, for readability I set the username and password as AuthUser and AuthPass in the first set multiple variables module.

Screenshot 2025-05-26 205449
Screenshot 2025-05-26 205449892×1214 52.3 KB

In the second set multiple variables module I calculate the encoded value as AuthRequired and use map() to get the value of the authorization header.

Screenshot 2025-05-26 205723
Screenshot 2025-05-26 205723891×1312 65 KB

Those fomula are:

Basic{{space}}{{base64(7.AuthUser + ":" + 7.AuthPass)}}

and

{{first(map(1.`__IMTHEADERS__`; "value"; "name"; "authorization"))}}

The Router module has two paths.
For the Authentication Passed path I check that AuthRequired is equal to AuthProvided.

image
image891×1029 63.5 KB

For the Authentication Failed path I check that they don’t match. I also have also set this as the fallback route.
image
image890×1026 64.5 KB

The Authentication Passed route can carry out whatever actions you need and return a status code of 200 which indicates to the calling system that the call to the webhook was successful. Depending on your needs you might return this first, and then carry out other actions, or you might return this at the end of a series of actions, perhaps with body containing a response.

image
image892×605 30.4 KB

The Authentication Failed route simply returns a status code of 401 indicating an authentication failure. You could opt to carrying additional actions, for example logging the authentication failure for later inspection.

image
image886×616 30.5 KB

Improvements

  • As configured - for readability - this uses currently 4 operations. You could just do the calculations in the filters on each route for just 2 operations. I personally prefer to have 1 set multiple variables module, and this helps keep the filters for the routes very simple.
  • You could also check other details from the header. For example, you could check the user-agent matches what you expect (the value is just plain text) - note that this is a very small security improvement and shouldn’t be relied upon by itself.
  • Pro/Team users could store the AuthUser and AuthPass variables in team/organisation variables.

Blueprint
blueprint - webhook basic auth.json (16.8 KB)