Securing Outgoing Webhooks in Datacake

Learn how to securely forward device events from Datacake using outgoing webhooks, and validate them in external systems like Node-RED using custom authorization headers.

Overview

This guide shows you how to secure Datacake outgoing webhooks using custom HTTP headers (e.g., Authorization) and validate them with tools such as Node-RED. It includes a real-world example, common pitfalls, and a reusable code snippet.

Video

📤 What Is an Outgoing Webhook?

Datacake allows you to forward device events (like measurements, decoder outputs, or downlinks) to external services using webhooks. These webhooks are triggered every time a selected event occurs in your workspace.

You can configure them under:

Workspace Sidebar → Integrations → Webhooks

🛡️ Why Use Header-Based Authorization?

Because Datacake is cloud-native and its infrastructure is dynamic (scaling up/down), IP whitelisting is unreliable. Instead, the recommended and secure way to authenticate webhook requests is via an HTTP header:

Name: Authorization (or any custom header name)
Value: A secret token known to both Datacake and the receiver (e.g., Node-RED)

All requests are sent via HTTPS, ensuring the token is encrypted during transmission.

🧪 Example: Using Node-RED to Receive and Validate Webhooks

1. Create the Webhook in Datacake

Go to Integrations → Webhooks
Click Add Webhook
Choose an event (e.g., "Device Measurement Recorded")
Set your endpoint URL (e.g., https://your-node-red-instance.com/webhook)
Under Headers, add:
- Name: Authorization
- Value: Bearer ABC123 (use your own secure token)
Click Create

Note: If you're running Node-RED locally (e.g., on a Raspberry Pi), you need to expose it via the internet (e.g., via Ngrok, reverse proxy, or public cloud service) to receive webhooks.

2. Set Up Node-RED Flow

In Node-RED:

Add an HTTP In node listening to POST /webhook
Add a Function node to validate the Authorization token
Add HTTP Response nodes for success and error

Here is the full flow you can import into Node-RED:

[
  {
    "id": "http_in_node",
    "type": "http in",
    "z": "flow",
    "name": "Webhook In",
    "url": "/webhook",
    "method": "post",
    "upload": false,
    "swaggerDoc": "",
    "x": 160,
    "y": 100,
    "wires": [["check_auth"]]
  },
  {
    "id": "check_auth",
    "type": "function",
    "z": "flow",
    "name": "Check Authorization",
    "func": "// Expected token\nconst expectedToken = \"Bearer ABC123\";\n\n// Normalize headers to lowercase (as received)\nconst authHeader = msg.req.headers['authorization'];\n\nif (!authHeader || authHeader !== expectedToken) {\n    msg.statusCode = 401;\n    msg.payload = { error: \"Unauthorized\" };\n    return [null, msg];\n} else {\n    return [msg, null];\n}",
    "outputs": 2,
    "noerr": 0,
    "x": 360,
    "y": 100,
    "wires": [["success_response"], ["unauthorized_response"]]
  },
  {
    "id": "success_response",
    "type": "http response",
    "z": "flow",
    "name": "HTTP 200 OK",
    "statusCode": "",
    "headers": {},
    "x": 580,
    "y": 80,
    "wires": []
  },
  {
    "id": "unauthorized_response",
    "type": "http response",
    "z": "flow",
    "name": "HTTP 401 Unauthorized",
    "statusCode": "",
    "headers": {},
    "x": 600,
    "y": 120,
    "wires": []
  }
]

🛠️ How It Works

Webhook triggers a POST request to /webhook
Node-RED extracts the Authorization header
The Function node compares it with your expected value
Depending on the result:
- HTTP 200 is returned (valid)
- HTTP 401 is returned (invalid or missing)

⚠️ Common Pitfalls

Header names in msg.req.headers are always lowercase in Node-RED.
Ensure no whitespace or encoding issues in the header value.
If you're using CakeRed (hosted Node-RED on Datacake), ensure your firewall path allow list is correctly set.

🔒 Security Notes

Use secure, unguessable tokens (UUIDs or strong random strings).
Never share your tokens in public repositories or docs.
Consider rotating tokens periodically.

💬 Questions?

If you have questions or run into issues, feel free to contact support

Last updated 7 months ago

Was this helpful?