# Securing Outgoing Webhooks in Datacake

## Overview

This guide shows you how to secure **Datacake outgoing webhooks** using custom HTTP headers (e.g., `Authorization`) and validate them with tools such as **Node-RED**. It includes a real-world example, common pitfalls, and a reusable code snippet.

## Video

{% embed url="<https://www.loom.com/share/4fc74346fc9243b4b01e9c4195475d8a>" %}

## 📤 What Is an Outgoing Webhook?

Datacake allows you to **forward device events** (like measurements, decoder outputs, or downlinks) to external services using webhooks. These webhooks are triggered every time a selected event occurs in your workspace.

You can configure them under:

> **Workspace Sidebar → Integrations → Webhooks**

<figure><img src="/files/B6fLMdT1jGJPyxWjKuZE" alt=""><figcaption></figcaption></figure>

## 🛡️ Why Use Header-Based Authorization?

Because Datacake is cloud-native and its infrastructure is dynamic (scaling up/down), **IP whitelisting is unreliable**. Instead, the recommended and secure way to authenticate webhook requests is via an HTTP header:

* Name: `Authorization` (or any custom header name)
* Value: A secret token known to both Datacake and the receiver (e.g., Node-RED)

All requests are sent via HTTPS, ensuring the token is encrypted during transmission.

## 🧪 Example: Using Node-RED to Receive and Validate Webhooks

### **1. Create the Webhook in Datacake**

1. Go to **Integrations → Webhooks**
2. Click **Add Webhook**
3. Choose an event (e.g., "Device Measurement Recorded")
4. Set your **endpoint URL** (e.g., `https://your-node-red-instance.com/webhook`)
5. Under **Headers**, add:
   * **Name:** `Authorization`
   * **Value:** `Bearer ABC123` (use your own secure token)
6. Click **Create**

{% hint style="info" %}
Note: If you're running Node-RED locally (e.g., on a Raspberry Pi), you need to expose it via the internet (e.g., via [Ngrok](https://ngrok.com/), reverse proxy, or public cloud service) to receive webhooks.
{% endhint %}

### **2. Set Up Node-RED Flow**

In Node-RED:

* Add an `HTTP In` node listening to `POST /webhook`
* Add a `Function` node to validate the Authorization token
* Add `HTTP Response` nodes for success and error

<figure><img src="/files/JbofAoMfhRdFQ20EncK4" alt=""><figcaption></figcaption></figure>

Here is the full flow you can import into Node-RED:

```json
[
  {
    "id": "http_in_node",
    "type": "http in",
    "z": "flow",
    "name": "Webhook In",
    "url": "/webhook",
    "method": "post",
    "upload": false,
    "swaggerDoc": "",
    "x": 160,
    "y": 100,
    "wires": [["check_auth"]]
  },
  {
    "id": "check_auth",
    "type": "function",
    "z": "flow",
    "name": "Check Authorization",
    "func": "// Expected token\nconst expectedToken = \"Bearer ABC123\";\n\n// Normalize headers to lowercase (as received)\nconst authHeader = msg.req.headers['authorization'];\n\nif (!authHeader || authHeader !== expectedToken) {\n    msg.statusCode = 401;\n    msg.payload = { error: \"Unauthorized\" };\n    return [null, msg];\n} else {\n    return [msg, null];\n}",
    "outputs": 2,
    "noerr": 0,
    "x": 360,
    "y": 100,
    "wires": [["success_response"], ["unauthorized_response"]]
  },
  {
    "id": "success_response",
    "type": "http response",
    "z": "flow",
    "name": "HTTP 200 OK",
    "statusCode": "",
    "headers": {},
    "x": 580,
    "y": 80,
    "wires": []
  },
  {
    "id": "unauthorized_response",
    "type": "http response",
    "z": "flow",
    "name": "HTTP 401 Unauthorized",
    "statusCode": "",
    "headers": {},
    "x": 600,
    "y": 120,
    "wires": []
  }
]
```

### **🛠️ How It Works**

* Webhook triggers a `POST` request to `/webhook`
* Node-RED extracts the `Authorization` header
* The Function node compares it with your expected value
* Depending on the result:
  * `HTTP 200` is returned (valid)
  * `HTTP 401` is returned (invalid or missing)

## ⚠️ Common Pitfalls

* Header names in `msg.req.headers` are **always lowercase** in Node-RED.
* Ensure no whitespace or encoding issues in the header value.
* If you're using CakeRed (hosted Node-RED on Datacake), ensure your **firewall path allow list** is correctly set.

## 🔒 Security Notes

* Use secure, unguessable tokens (UUIDs or strong random strings).
* Never share your tokens in public repositories or docs.
* Consider rotating tokens periodically.

### 💬 Questions?

If you have questions or run into issues, feel free to [contact support](https://datacake.co/contact)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.datacake.de/integrations/outgoing-webhooks/securing-outgoing-webhooks-in-datacake.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.