n8nworkflows.io
Sign in

🗲 Creating a Secure Webhook - MUST HAVE

Download [12.1KB]

Nodes

2cf69bf8-d025-41db-983e-898d5f3acf5a9dd572aa-e531-4ffe-a66c-58ac7003ac5d3b9f1b78-6b80-4575-aa6c-966987000389083a55c9-df56-4154-959f-52737890cad0

Categories

Security & Compliance

Tags

#Miscellaneous

Created by

luLucas Peyrin

Last edited 58 days ago

How it works

This workflow demonstrates a fundamental pattern for securing a webhook by requiring an API key. It acts as a gatekeeper, checking for a valid key in the request header before allowing the request to proceed.

  1. Incoming Request: The Secured Webhook node receives an incoming POST request. It expects an API key to be sent in the x-api-key header.
  2. API Key Verification:
    • The Check API Key node takes the key from the incoming request's header.
    • It then makes an internal HTTP request to a second webhook (Get API Key) which acts as a mock database.
    • This second webhook retrieves a list of registered API keys (from the Registered API Keys node) and filters it to find a match for the key that was provided.
  3. Conditional Response:
    • If a match is found, the API Key Identified node routes the execution to the "success" path, returning a 200 OK response with the identified user's ID.
    • If no match is found, it routes to the "unauthorized" path, returning a 401 Unauthorized error.

This pattern separates the public-facing endpoint from the data source, which is a good security practice.

Set up steps

Setup time: ~2 minutes

This workflow is designed to be a self-contained example.

  1. Set up Credentials: This workflow uses "Header Auth" for its internal communication. Go to Credentials and create a new Header Auth credential. You can use any name and value (e.g., Name: X-N8N-Auth, Value: my-secret-password). Select this credential in all four webhook/HTTP Request nodes.
  2. Add Your API Keys: Open the Registered API Keys node. This is your mock database. Edit the array to include the user_id and api_key pairs you want to authorize.
  3. Activate the workflow.
  4. Test it: Use the Test Secure Webhook node to send a request.
    • Try it with a valid key from your list to see the success response.
    • Change the x-api-key header to an invalid key to see the 401 Unauthorized error.

For Production: Replace the mock database part of this workflow (the Get API Key webhook and Registered API Keys node) with a real database node like Supabase, Postgres, or Baserow to look up keys.

You may also like

Validate Seatable Webhooks with HMAC SHA256 Authentication

Validate Seatable Webhooks with HMAC SHA256 Authentication

vqvquie
1.1k
69
Learn Secure Webhook APIs with Authentication and Supabase Integration

Learn Secure Webhook APIs with Authentication and Supabase Integration

nonocodecreative
1.9k
106
Secure API Endpoint with Bearer Token Authentication and Field Validation

Secure API Endpoint with Bearer Token Authentication and Field Validation

xqxqus
852
59

New to n8n?

Need help building new n8n workflows? Process automation for you or your company will save you time and money, and it's completely free!

Trending

Generate AI viral videos with NanoBanana & VEO3, shared on socials via Blotato

Generate AI viral videos with NanoBanana & VEO3, shared on socials via Blotato

drDr. Firas
5.6k
272
Generate & Publish Professional Video Ads with Veo 3, Gemini & Creatomate

Generate & Publish Professional Video Ads with Veo 3, Gemini & Creatomate

luLukaszB
5.5k
369
Build a Multichannel Customer Support AI Assistant with Chatwoot & OpenRouter

Build a Multichannel Customer Support AI Assistant with Chatwoot & OpenRouter

zrGeorge Zargaryan
1.5k
86