We’re currently integrating with ShipHero’s webhooks and had a quick question regarding security: is there any way to include a form of authentication (e.g., a secret token or API key) in the webhook request headers? This would help us verify that incoming requests to our endpoint are indeed coming from ShipHero.
Hello and thank you for your submission,
Yes! There is indeed a way to authenticate webhooks. You can find documentation on it here. The secret key can be displayed when creating the webhook through the api, or you can find it under account settings > public API after the fact.
Hi Nathan,
For context, we’re a carrier working with a ShipHero user to integrate our services. They’ve set up webhooks on their end, and we’ve built the middleware to receive and process those events.
We’ve already reviewed the HMAC-based verification in the documentation and can support it on our side. That said, we want to know if custom headers are supported in the webhook request for additional validation (e.g., JWT token, ideally one generated by our system)? This would allow us to layer in more control on our end and more easily identify traffic from specific partners or flows.
Hi Iramos,
There is not currently support for custom headers or authorization within out webhooks.
Thanks for confirming.
Are custom headers or authorization for webhooks part of the product roadmap, or is that expected to remain as-is for the foreseeable future?
We have placed feature requests regarding this but they have not yet been approved for the product.