Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

You mean HMAC-SHA’ing the payload with a shared secret?

Could you provide the source where this is explained? It would be valuable for us to include in a design proposal if the points apply to Ory’s architecture

We use Svix for our webhooks. Their signature/verification docs are here: <https://docs.svix.com/receiving/verifying-payloads/why>

We’re also looking to adopt a webhook service that has better monitoring capabilities than we do at the moment! But it’s a bit of work …

I found this <https://ngrok.com/blog-post/get-webhooks-secure-it-depends-a-field-guide-to-webhook-security|article> from ngrok where they talked about the implementation of web hook security across the industry. For technical details, the wikipedia <https://en.wikipedia.org/wiki/HMAC#cite_note-:0-3|page> I found summed it up pretty well.

Thanks! I think we can add message authentication to webhooks. Would then simply be another authenticator that can be configured