Learn how to securely forward device events from Datacake using outgoing webhooks, and validate them in external systems like Node-RED using custom authorization headers.
Overview
This guide shows you how to secure Datacake outgoing webhooks using custom HTTP headers (e.g., Authorization) and validate them with tools such as Node-RED. It includes a real-world example, common pitfalls, and a reusable code snippet.
Video
📤 What Is an Outgoing Webhook?
Datacake allows you to forward device events (like measurements, decoder outputs, or downlinks) to external services using webhooks. These webhooks are triggered every time a selected event occurs in your workspace.
You can configure them under:
Workspace Sidebar → Integrations → Webhooks
🛡️ Why Use Header-Based Authorization?
Because Datacake is cloud-native and its infrastructure is dynamic (scaling up/down), IP whitelisting is unreliable. Instead, the recommended and secure way to authenticate webhook requests is via an HTTP header:
Name: Authorization (or any custom header name)
Value: A secret token known to both Datacake and the receiver (e.g., Node-RED)
All requests are sent via HTTPS, ensuring the token is encrypted during transmission.
🧪 Example: Using Node-RED to Receive and Validate Webhooks
1. Create the Webhook in Datacake
Go to Integrations → Webhooks
Click Add Webhook
Choose an event (e.g., "Device Measurement Recorded")
Set your endpoint URL (e.g., https://your-node-red-instance.com/webhook)
Under Headers, add:
Name:Authorization
Value:Bearer ABC123 (use your own secure token)
Click Create
Note: If you're running Node-RED locally (e.g., on a Raspberry Pi), you need to expose it via the internet (e.g., via Ngrok, reverse proxy, or public cloud service) to receive webhooks.
2. Set Up Node-RED Flow
In Node-RED:
Add an HTTP In node listening to POST /webhook
Add a Function node to validate the Authorization token
Add HTTP Response nodes for success and error
Here is the full flow you can import into Node-RED:
🛠️ How It Works
Webhook triggers a POST request to /webhook
Node-RED extracts the Authorization header
The Function node compares it with your expected value
Depending on the result:
HTTP 200 is returned (valid)
HTTP 401 is returned (invalid or missing)
⚠️ Common Pitfalls
Header names in msg.req.headers are always lowercase in Node-RED.
Ensure no whitespace or encoding issues in the header value.
If you're using CakeRed (hosted Node-RED on Datacake), ensure your firewall path allow list is correctly set.
🔒 Security Notes
Use secure, unguessable tokens (UUIDs or strong random strings).
Never share your tokens in public repositories or docs.
Consider rotating tokens periodically.
💬 Questions?
If you have questions or run into issues, feel free to contact support
