Securing Outgoing Webhooks in Datacake
Learn how to securely forward device events from Datacake using outgoing webhooks, and validate them in external systems like Node-RED using custom authorization headers.
Last updated
Was this helpful?
Learn how to securely forward device events from Datacake using outgoing webhooks, and validate them in external systems like Node-RED using custom authorization headers.
Last updated
Was this helpful?
This guide shows you how to secure Datacake outgoing webhooks using custom HTTP headers (e.g., Authorization
) and validate them with tools such as Node-RED. It includes a real-world example, common pitfalls, and a reusable code snippet.
Datacake allows you to forward device events (like measurements, decoder outputs, or downlinks) to external services using webhooks. These webhooks are triggered every time a selected event occurs in your workspace.
You can configure them under:
Workspace Sidebar → Integrations → Webhooks
Because Datacake is cloud-native and its infrastructure is dynamic (scaling up/down), IP whitelisting is unreliable. Instead, the recommended and secure way to authenticate webhook requests is via an HTTP header:
Name: Authorization
(or any custom header name)
Value: A secret token known to both Datacake and the receiver (e.g., Node-RED)
All requests are sent via HTTPS, ensuring the token is encrypted during transmission.
Go to Integrations → Webhooks
Click Add Webhook
Choose an event (e.g., "Device Measurement Recorded")
Set your endpoint URL (e.g., https://your-node-red-instance.com/webhook
)
Under Headers, add:
Name: Authorization
Value: Bearer ABC123
(use your own secure token)
Click Create
In Node-RED:
Add an HTTP In
node listening to POST /webhook
Add a Function
node to validate the Authorization token
Add HTTP Response
nodes for success and error
Here is the full flow you can import into Node-RED:
Webhook triggers a POST
request to /webhook
Node-RED extracts the Authorization
header
The Function node compares it with your expected value
Depending on the result:
HTTP 200
is returned (valid)
HTTP 401
is returned (invalid or missing)
Header names in msg.req.headers
are always lowercase in Node-RED.
Ensure no whitespace or encoding issues in the header value.
If you're using CakeRed (hosted Node-RED on Datacake), ensure your firewall path allow list is correctly set.
Use secure, unguessable tokens (UUIDs or strong random strings).
Never share your tokens in public repositories or docs.
Consider rotating tokens periodically.
Note: If you're running Node-RED locally (e.g., on a Raspberry Pi), you need to expose it via the internet (e.g., via , reverse proxy, or public cloud service) to receive webhooks.
If you have questions or run into issues, feel free to