Webhook Authentication

[ehi...@answersingenesis.org]

I'm curious if/how others are authenticating the webhook requests from Shippo. I am thinking I will put some type of encoded value in the metadata field that I can use to verify the request. Any thoughts?

[Simon Kreuz]

Hi there, we recommend one of the following approaches: 1) Whitelist IPs All of our webhooks are sent from the following IPs, which you can whitelist: US Region 54.81.253.187 54.81.255.221 52.23.121.194 52.44.110.80 EU region 34.253.119.130 52.214.174.64 34.248.247.69 54.72.179.250 (This is an exhaustive set.) 2) Use security tokens You can add a token of your choice to the endpoint URL, e.g. `https://myurl.com/?token=123abc`. This is not very secure, since it may be logged in more places, but provides an additional layer of security. Our team is also working on an improvement that allows you to add a token of your choice to the webhook endpoint via the Shippo App. This token will then be included in the webhook's POST request "Shippo-Signature" header, and provides more security than the endpoint URL token. Hope that helps! Best, Simon

[ehi...@answersingenesis.org]

Thanks for your suggestions! I talked it over with a colleague and I think we are going to do something similar to the solution that you said your team is working on. Since we are only using shippo to track packages after shipment, we are sending a unique security token for each tracking number in the metadata field for the webhook. When the "Shippo-Signature" header feature is available, we may switch to that, but this is serving out purposes for now.