[workflow][webhook] Authorization header


I am using webhooks in workflows on property changes to perform actions on my own API.
My question deals with authentification of the origin of the webhook from this API. Indeed, I want to verify that hubspot is sending these weebhooks.
After verifying headers and reading other topics on the forum, I no that no X-Hubspot-Signature is not sent by these workflow webhooks.
I also noted that in the workflow UI, I can check the authentication option and give both a user name and a password, that logically seems to populate the authorization header. What I don't understand is how is this authorization token-like word generated and how can I check its value?


Hi @Napols,

Workflow webhook actions use basic access authentication, as described below. The username and password are combined and Base64 encoded. For example, if you use Aladdin as the username and OpenSesame as the password, then the field's value is the base64-encoding of Aladdin:OpenSesame, or QWxhZGRpbjpPcGVuU2VzYW1l. Then the Authorization header will appear as:

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l


Okay, thank you for this reply. I actually used an API key in my webhook url to authenticate the requests waiting for any answer, but will change it soon.