Skip to main content
Securing your webhook endpoints ensures that only Lettr can send events to your server. Lettr supports multiple authentication methods for outbound webhook requests, which you configure when creating a webhook in the dashboard.

Authentication Types

When creating or editing a webhook in the dashboard, you choose an authentication type that Lettr uses when making requests to your endpoint.

Basic Authentication

With basic auth, Lettr includes an Authorization: Basic ... header in every webhook request. You provide the username and password when creating the webhook in the dashboard.

Verifying Basic Auth

Verify the credentials in your webhook handler:

PHP (Laravel)

Python (Flask)

Store your webhook credentials in environment variables or a secrets manager. Never hardcode them in your source code.

OAuth 2.0 Authentication

With OAuth 2.0 client credentials, Lettr obtains an access token from your OAuth server before each webhook delivery and includes it as a Bearer token. You provide the client ID, client secret, and token URL when creating the webhook in the dashboard.

Verifying OAuth Tokens

Verify the Bearer token in your webhook handler:

No Authentication

If you choose none, Lettr sends webhook requests without any authentication credentials. This is the simplest option but offers no protection against unauthorized requests.
Using no authentication means anyone who discovers your webhook URL can send fake events to your endpoint. If you choose this option, consider adding other security measures like IP allowlisting.

Additional Security Measures

IP Allowlisting

For additional security, restrict your webhook endpoint to only accept requests from Lettr’s IP addresses. Contact support for the current list.
If you’re behind a proxy or load balancer, make sure to configure your application to trust the proxy and extract the real client IP from the X-Forwarded-For header.

HTTPS

Always use HTTPS endpoints for your webhooks. This ensures that authentication credentials and event data are encrypted in transit.

Secret URL Paths

As an additional layer of defense, you can use a hard-to-guess URL path for your webhook endpoint:
This is not a substitute for proper authentication, but it adds an extra barrier for anyone scanning for webhook endpoints.

Checking Webhook Auth Status via API

You can check whether a webhook has authentication configured using the read-only API:
The response includes the auth type and whether credentials are configured:
The API response shows auth_type and has_auth_credentials but never exposes the actual credentials. To update authentication settings, use the Lettr dashboard.

Handling Webhooks

Best practices for processing webhooks reliably

Retries

Understand retry behavior and failure handling

Testing

Test webhooks in development and production

Event Types

Complete reference of all webhook events