Secure Webhook URLs

Protecting your webhook endpoint

If your webhook endpoint is on the open internet, you must protect it from unwanted or malicious traffic. Here are some ways you can secure your webhook.

Whitelist of IP addresses

We recommend blocking all unfamiliar traffic to your webhook. You can do this with ingress rules that block all traffic that doesn't come from Ocrolus or your own infrastructure.

We'll send notifications to your registered webhooks from one of the following IP addresses:

  • 18.205.30.63
  • 18.208.79.114
  • 18.213.224.210
  • 18.233.250.22
  • 35.173.140.133
  • 35.174.183.80
  • 54.164.238.206

HTTP basic authentication scheme

You can secure your webhook's endpoint with Basic authentication. To ensure that Ocrolus can access your webhook, include credentials for the webhook in the registered URL, e.g. as https://webhook_user:[email protected]/the/rest/of/the/url.

curl -X POST \
    -H "Content-Type: application/json" \
    --oauth2-bearer "eyJhbGciOiJ...2hUye_4CpIvQ" \
    -d '{"webhook_endpoint" : "https://username:[email protected]/ocrolus/webhook", "event" : "BOOK_VERIFIED"}' \
    https://www.ocrolus.com/api/v1/account/settings/update/webhook_endpoint

🚧

We mean Basic authentication for your endpoints.

We're moving our own endpoints away from Basic authentication in favor of using OAuth 2.0 (see here for more info). However, authenticating Ocrolus to your own webhook with Basic authentication is viable if combined with other security measures.


Did this page help you?