Authentication when adding a Shipping Carrier

To register a Generate Label Webhook the instructions are to send the Endpoint URL (see Webhooks – Developer Resources | ShipHero). It isn’t clear how authentication is handled though. Is there any further documentation on how the customer can identify their account or credentials when using our webhook?

Hi @epedder!

Something like this? Webhooks – Developer Resources | ShipHero

Thanks in advance!

Hi @tomasw,

Thanks for the response. Unfortunately I don’t think it solves the problem. It allows us to confirm that a specific user sent the request but not which user sent the request.

Maybe I’m missing something obvious or perhaps this is a language issue, but I would be surprised if we (a shipping label provider) are the first to ask this question.

You (ShipHero) provide a “Generate Label Webhook”. Except unlike other webhooks we cannot install it via API - it must be done by All you ask for is the Endpoint URL and the transmission to that URL does not contain any information that lets us (the label vendor) identify who wants the label. So perhaps the identifier needs to be in the URL itself. But does that mean instead of acting as a general carrier like, say, FedEx, we need a unique URL for every ShipHero customer? And that request needs to go to If that’s the case - why not say so? I’ve asked our ShipHero contact and they pointed me to the community forum.

Hello @epedder!
Thanks for reaching out.

Most, if not all, of the shipping label providers, use a specific link for each customer. Their URLs are usually something like this:

But I believe there’s a way for your team to work around this if you prefer to use a single URL. If you check the payload in this link, you will see that in line 43, there’s a field named account_id. This field returns the unique identifier for each account in ShipHero. Even child accounts from 3PLs get their unique ID.
If you poll this field when the webhooks reach your endpoint, you would be able to query the corresponding secret to solve the HMAC and probably trigger anything customer-specific on your end.

Please let me know if this does not help.
Have a great day!