Authentication and Security

Authentication

To ensure the security and integrity of webhook data flowing between Tulip and external systems, it is essential to authenticate and properly secure webhook requests. The following methods are supported for Tulip Webhooks:

No Auth

You can choose to not have authentication as a part of the webhook subscription. To create a webhook with no authentication, set the Authentication Method to NONE. When this option is selected, no Authorization header will be set as a part of the event.

Bearer Token

Bearer authentication is an HTTP authentication scheme that uses security tokens commonly referred to as Bearer Tokens. To create a webhook subscription with bearer token authentication, set the Authentication Method property to BEARER and provide the token field.

Username and Password (Basic Authentication)

Basic authentication uses a username and password. To create a webhook subscription with basic authentication, set the Authentication Method to BASIC and provide the username and password fields.

HMAC Security

đź’ˇ Tulip highly recommends that you implement HMAC verification on your systems for added safety.

On webhook events sent to external systems, Tulip will sign the webhook message using the secret key (generated automatically by Tulip) plus a hashing algorithm HMAC-SHA256. The event will include the header x-tulip-hmac-256 with the hashed value of the message. Once you receive the request from Tulip, you can verify the authenticity and integrity of the message by encoding the webhook message using HMAC-SHA256 and ensuring that the signature matches the value sent in the x-tulip-hmac-256 header.

Benefits of HMAC Security:

  • Since the secret key is known only to the webhook provider (Tulip) and the listener (external integrator), HMAC verifies that the message comes from the webhook provider (authenticity) and its contents have not being altered since time of sending (integrity).
  • The HMAC Key will not be shared to anyone outside of the webhook provider (Tulip) or the listener (external integrator) and will never be sent as a part of the request.

Your unique HMAC key can be found in Tulip Admin Console under Webhook Subscription Page → Display HMAC Key.

← Subscribing to events
Sending webhook data to external systems →