Webhook authentication best practices | Community
Skip to main content
A
Anonymous
May 4, 2015
Solved

Webhook authentication best practices

  • May 4, 2015
  • 3 replies
  • 3455 views

What kind of solutions have you used for authenticating Webhook requests coming to your backend from Marketo? The documentation (http://developers.marketo.com/documentation/webhooks/) totally ignores the subject. This is a bit strange as the documentation describes how to get sensitive user data from an apparently exposed public API. Also, in the forums there are some requests related to using OAuth2 in Webhooks but apparently this feature has not been implemented.

The only idea I can come up with is including a hard coded passphrase in the Webhook's GET or POST request parameters. I guess this is an acceptable solution if the passphrase is long enough and requests are sent over https.

Any comments or ideas?

Mikko

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by
    Hi Mikko,

    I have used hard coded passphrase in webhooks in my work so far. I would also suggest checking requester IP address in your external web service and only allow to the IP range(s) Marketo will be using. You may want to check with Marketo support to find out the IP address or find them yourself from the actual test http requests.

    Hope this helps

    Rajesh 

    3 replies

    A
    Anonymous
    Accepted solution
    May 4, 2015
    Hi Mikko,

    I have used hard coded passphrase in webhooks in my work so far. I would also suggest checking requester IP address in your external web service and only allow to the IP range(s) Marketo will be using. You may want to check with Marketo support to find out the IP address or find them yourself from the actual test http requests.

    Hope this helps

    Rajesh 
    SanfordWhiteman
    SanfordWhiteman
    Level 10
    May 4, 2015
    I second @Rajesh.  That's pretty much how it's done. 

    You could in theory also loop back using the Marketo REST API and use some kind of per-lead authentication (like checking that the Marketo id matches).  But then you have to deal with the API limits, which are very low.  If you were replicating your Lead Database to some in-house system, this could be used as well.  But I doubt anyone (literally, anyone!) is doing these things because of the overhead.  And in fairness doing OAuth with a separate authentication step for each webhook call (assuming no persistence) would be horrible for performance, too.
    A
    Anonymous
    May 5, 2015
    Thanks Rajesh and Sanford. I'll ask about the ip ranges and will get back to you after I get an answer.
    A
    Anonymous
    May 18, 2015

    Hi,

    I asked customer support about the ip ranges and go the following info:

    "There is no article I could refer you to in regards to IP Range Enquiry. We actually access a cached version of the application at the nearest location, so this might vary. I will investigate for you and let you know about outcome."

    And (I have deleted all the info related to out instance):

    As your instance of Marketo is located on our xxx pod in our xxx datacentre, these are the IP addresses you can expect the webhook requests to come from:

    ...

    These are currently not posted anywhere customer-facing I'm afraid. However feel free to request the list any time you need it."

    And:

    "As far as I know, these IP addresses have not been changed since they've been introduced a couple of years ago. I don't foresee them changing at all in the future. If there was to be a decision to change them, a customer notification will be sent out to all affected customers."

    Thanks again for sharing your experiences,

    Mikko

    Terms & ConditionsAccessibility statement

    Loading footer...