Incoming Webhook Authentication


I am new to Make. I would like to authenticate my incoming webhooks. My source app allows me to configure any of these authentication strategies when sending a webhook from their side:

HMAC (message + secret key hashed using sha256 algorithm, encoded base64)
Appending an API key to the header
Basic Auth
Bearer Token

I am having difficulty figuring out how to set up Make webhooks so that incoming messages are authenticated before the payload is passed on. I think I need to enable “Get Request Headers” in the webhook itself, but then do I authenticate using a filter, or do I use another module? If the former, how do I configure the filter (I think I saw some documentation re: map and get + sha256 but I don’t completely understand it.) If the latter, which module(s) should I use and how would I configure it to authenticate using any of the four authentication strategies listed above?

Thank you so much!


Hey @Kari_G - welcome to the Community!

That’s a great question. The key (pun intended) is in how you check the validity of the authentication. You’ll need some kind of store to hold valid keys, messages or tokens.

You could hold those in a Google Sheet, Airtable base or any other app that can store and retrieve data. But for speed (which is likely to be important in a Webhook response) it may be best to use a Make Data Store.

The only downside is that editing large amounts of data in a Data Store isn’t easy as the UI isn’t really designed for that - so if you expect to have a lot of data in there, you might need an additional scenario that manages it through a forms front-end.

After you’ve checked the authentication validity, if it fails you should use the Webhook Response module to send a 401 error with a suitable body text.


Welcome to the Make community!

You could just add a filter immediately after the trigger, and check one of the following:

If you are on an Enterprise plan, you could replace the value “password” with a Custom Variable stored in your team. That way you don’t have to update each filter for all your webhook scenarios when you only want to rotate the token value.


Thank you for responding to me so quickly and for your warm welcome, David! I really appreciate it you taking the time to do so! I’ll check out the Webhook Response module - I think that will come in very handy.

Thank you!



Wow! Thank you Sam for this quick and very helpful response! And thank your for the welcome too. I think both of these solutions will do the trick, but especially the second solution is in line with what I was trying to figure out.

I have been searching and searching for how to accomplish this task, so your answer is greatly appreciated! I will give it a go and let you know.

Thank you, thank you, thank you!!!



No problem, glad I could help!

The Make Community guidelines encourages users to try to mark helpful replies as solutions to help keep the Community organized.

This marks the topic as solved, so that:

  • others can save time when catching up with the latest activity here, and
  • allows others to quickly jump to the solution if they come across the same problem

To do this, simply click the checkbox at the bottom of the post:


Once you’ve given it a go and found that the solution suits your requirements, hope you can return to provide any additional feedback and close off this thread.


Thank you for letting me know about this community guideline! I will be sure to come back and give an update about how things went, mark the solution, and close the thread.

Thank you again for everything!



Hi @samliew ,

I just can’t thank you enough for your help! Your solution worked like a charm! I used the second API Key authentication example you gave me. Thank you also for the tip about the Enterprise plan - that will make things easier too.

I’m going to expound on your solution with a few screenshots in case anyone else, who is trying to set up webhook authentication and also test with Postman, comes across this post.

Thank you again for your help and for getting back to me so quickly! You saved me a lot of time and extra frustration - I was already careening toward frustration when I reached out! :sweat_smile: What a great resource this community is!


Here is my Postman API Key authentication setup:

In the webhook, I toggled “Show advanced settings” on and made sure “Get request headers” was set to “Yes.”

Here’s where I put the “Key” (arbitrary key name) and “Value” (arbitrary password) from Postman into the filter you showed me how to set up:

This is what the scenario looked like when the filter did its job (password didn’t match, authentication failed - filter icon has “0” badge, and payload did not pass to the next module.)

This is what the scenario looked like when the password matched (authentication passed, and payload was passed to the next module.)

1 Like

Excellent! I’m glad to hear that you got the Header authentication method working, and thanks for sharing screenshots of your setup, which is very helpful to others who may also consider securing their webhooks this way.