I want to trigger actions on my backend from a campaign. I’m sending webhook requests as part of a campaign. For example, I want to add a balance to my users in-app wallet as a promotion during an onboarding campaign. I know I can create a webhook in the campaign, however this doesn't seem particularly secure as I have to include the authentication keys in plain text in the webhook configuration. I can see that these requests get sent with an x-cio-signature header. his header is documented for the reporting webhooks here. However, I am not using reporting webhooks and have not set these up. I would therefore like to confirm if the x-cio-signature header sent with webhooks from campaigns is expected behaviour which I can rely on? If so, where can I find the key to verify the signature since I have not set up these webhooks through the reporting webhook screen.
Is there any extra layer of security available? For example request signing to prove that requests are from customer.io or IP address lists for whitelisting?
Best answer by Ramy
View original