Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now
SOLVED

Secured Webhook - WF Fusion

Avatar

Level 1
Level 1
8/22/25 3:33:14 AM

Hello Everyone, 

I am looking for some suggestions on the Securing Webhook topic in WF Fusion. 
Below are the details 

1. I tried to use the OOB Webhooks module to generate a Webhook, that will be used by a third party to POST Json objects. 
2. I would like to consume this data & perform a mapping functionality, that'll be later used to create a Workfront object. 

The Questions I have are as below, 

1. How do I secure this webhook ? IP whitelisting would not work in my case as we are using ALB of GCP (i.e) Dynamic IP. Note: the reply on this post wasn't helpful because the user who posts the json doesn't have to be on WF.
2. Frame.io seems like a good alternative to webhooks, but does it come with an additional cost ? 

Thanks in advance ! 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Workfront Fusion

Views

113

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 7
Level 7
8/25/25 5:50:31 AM

This is a known problem with how Fusion/Make.com deal with webhooks.  It has no way to, for example, allow JWT or OAuth 2.0 to allow for proper security.  If you know the webhook URL or the static header values in use, you can call it.  JWT would be much more proper in 2025+.  I'd suggest you file an Idea in the Workfront Fusion forum here.

View solution in original post

Views

59

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Community Advisor
Community Advisor
8/25/25 3:35:50 AM

Hi @HarishDe 
Not sure how Frame.io factors into securing webhooks, but you have 2 options:

  1. IP whitelisting which doesn't work for you
  2. an expected header value you check for
  3. an expected query argument (or multiple) you check for 

either way, it'll be one or more static strings you check.
Of course you could get crafty and create an "auth scenario" that expects a couple values (say a user email and a key) that you could store in a datastore, and if they match, you store a "session" variable along with that data store record. Then you return a 302 redirect to the actual scenario with the "session" in the URL, and the requesting app accesses the real scenario which does a check whether the session is valid.

 

Views

70

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 7
Level 7
8/25/25 5:50:31 AM

This is a known problem with how Fusion/Make.com deal with webhooks.  It has no way to, for example, allow JWT or OAuth 2.0 to allow for proper security.  If you know the webhook URL or the static header values in use, you can call it.  JWT would be much more proper in 2025+.  I'd suggest you file an Idea in the Workfront Fusion forum here.

Views

60

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Getting All WF Group Admins from Workfront Solved

Views

124

Likes

0

Replies

2
Approval process deletion using fusion

Views

17

Likes

0

Replies

1
Fusion Webhook response

Views

101

Likes

0

Replies

1
Fusion Dashboard – Top Scenarios by Operations Frustration

Views

98

Likes

0

Replies

3
Fusion Onboarding & Adoption

Views

86

Likes

0

Replies

1