Securing Outgoing Webhooks in Datacake
Learn how to securely forward device events from Datacake using outgoing webhooks, and validate them in external systems like Node-RED using custom authorization headers.
Overview
This guide shows you how to secure Datacake outgoing webhooks using custom HTTP headers (e.g., Authorization
) and validate them with tools such as Node-RED. It includes a real-world example, common pitfalls, and a reusable code snippet.
Video
📤 What Is an Outgoing Webhook?
Datacake allows you to forward device events (like measurements, decoder outputs, or downlinks) to external services using webhooks. These webhooks are triggered every time a selected event occurs in your workspace.
You can configure them under:
Workspace Sidebar → Integrations → Webhooks

🛡️ Why Use Header-Based Authorization?
Because Datacake is cloud-native and its infrastructure is dynamic (scaling up/down), IP whitelisting is unreliable. Instead, the recommended and secure way to authenticate webhook requests is via an HTTP header:
Name:
Authorization
(or any custom header name)Value: A secret token known to both Datacake and the receiver (e.g., Node-RED)
All requests are sent via HTTPS, ensuring the token is encrypted during transmission.
🧪 Example: Using Node-RED to Receive and Validate Webhooks
1. Create the Webhook in Datacake
Go to Integrations → Webhooks
Click Add Webhook
Choose an event (e.g., "Device Measurement Recorded")
Set your endpoint URL (e.g.,
https://your-node-red-instance.com/webhook
)Under Headers, add:
Name:
Authorization
Value:
Bearer ABC123
(use your own secure token)
Click Create
2. Set Up Node-RED Flow
In Node-RED:
Add an
HTTP In
node listening toPOST /webhook
Add a
Function
node to validate the Authorization tokenAdd
HTTP Response
nodes for success and error

Here is the full flow you can import into Node-RED:
[
{
"id": "http_in_node",
"type": "http in",
"z": "flow",
"name": "Webhook In",
"url": "/webhook",
"method": "post",
"upload": false,
"swaggerDoc": "",
"x": 160,
"y": 100,
"wires": [["check_auth"]]
},
{
"id": "check_auth",
"type": "function",
"z": "flow",
"name": "Check Authorization",
"func": "// Expected token\nconst expectedToken = \"Bearer ABC123\";\n\n// Normalize headers to lowercase (as received)\nconst authHeader = msg.req.headers['authorization'];\n\nif (!authHeader || authHeader !== expectedToken) {\n msg.statusCode = 401;\n msg.payload = { error: \"Unauthorized\" };\n return [null, msg];\n} else {\n return [msg, null];\n}",
"outputs": 2,
"noerr": 0,
"x": 360,
"y": 100,
"wires": [["success_response"], ["unauthorized_response"]]
},
{
"id": "success_response",
"type": "http response",
"z": "flow",
"name": "HTTP 200 OK",
"statusCode": "",
"headers": {},
"x": 580,
"y": 80,
"wires": []
},
{
"id": "unauthorized_response",
"type": "http response",
"z": "flow",
"name": "HTTP 401 Unauthorized",
"statusCode": "",
"headers": {},
"x": 600,
"y": 120,
"wires": []
}
]
🛠️ How It Works
Webhook triggers a
POST
request to/webhook
Node-RED extracts the
Authorization
headerThe Function node compares it with your expected value
Depending on the result:
HTTP 200
is returned (valid)HTTP 401
is returned (invalid or missing)
⚠️ Common Pitfalls
Header names in
msg.req.headers
are always lowercase in Node-RED.Ensure no whitespace or encoding issues in the header value.
If you're using CakeRed (hosted Node-RED on Datacake), ensure your firewall path allow list is correctly set.
🔒 Security Notes
Use secure, unguessable tokens (UUIDs or strong random strings).
Never share your tokens in public repositories or docs.
Consider rotating tokens periodically.
💬 Questions?
If you have questions or run into issues, feel free to contact support
Last updated
Was this helpful?