Expand my Community achievements bar.

Don’t miss the Workfront AMA: System Smarts & Strategic Starts! Ask your questions about keeping Workfront running smoothly, planning enhancements, reporting, or adoption, and get practical insights from Adobe experts.
RSVP & Ask Questions
SOLVED

Secured Webhook - WF Fusion

Avatar

Level 2
Level 2
8/22/25 3:33:14 AM

Hello Everyone, 

I am looking for some suggestions on the Securing Webhook topic in WF Fusion. 
Below are the details 

1. I tried to use the OOB Webhooks module to generate a Webhook, that will be used by a third party to POST Json objects. 
2. I would like to consume this data & perform a mapping functionality, that'll be later used to create a Workfront object. 

The Questions I have are as below, 

1. How do I secure this webhook ? IP whitelisting would not work in my case as we are using ALB of GCP (i.e) Dynamic IP. Note: the reply on this post wasn't helpful because the user who posts the json doesn't have to be on WF.
2. Frame.io seems like a good alternative to webhooks, but does it come with an additional cost ? 

Thanks in advance ! 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Workfront Fusion

Views

181

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 7
Level 7
8/25/25 5:50:31 AM

This is a known problem with how Fusion/Make.com deal with webhooks.  It has no way to, for example, allow JWT or OAuth 2.0 to allow for proper security.  If you know the webhook URL or the static header values in use, you can call it.  JWT would be much more proper in 2025+.  I'd suggest you file an Idea in the Workfront Fusion forum here.

View solution in original post

Views

127

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Community Advisor
Community Advisor
8/25/25 3:35:50 AM

Hi @HarishDe 
Not sure how Frame.io factors into securing webhooks, but you have 2 options:

  1. IP whitelisting which doesn't work for you
  2. an expected header value you check for
  3. an expected query argument (or multiple) you check for 

either way, it'll be one or more static strings you check.
Of course you could get crafty and create an "auth scenario" that expects a couple values (say a user email and a key) that you could store in a datastore, and if they match, you store a "session" variable along with that data store record. Then you return a 302 redirect to the actual scenario with the "session" in the URL, and the requesting app accesses the real scenario which does a check whether the session is valid.

 

Views

138

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 7
Level 7
8/25/25 5:50:31 AM

This is a known problem with how Fusion/Make.com deal with webhooks.  It has no way to, for example, allow JWT or OAuth 2.0 to allow for proper security.  If you know the webhook URL or the static header values in use, you can call it.  JWT would be much more proper in 2025+.  I'd suggest you file an Idea in the Workfront Fusion forum here.

Views

128

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Fusion - Search for specifc Program field Solved

Views

119

Likes

0

Replies

6
Workfront Fusion remove spaces from field Solved

Views

186

Likes

0

Replies

2
Workfront Fusion Search module Record Type: Project User

Views

50

Likes

0

Replies

1
Fusion: Attach Project Template | 'Options' selection

Views

136

Like

1

Replies

3
Accessing JSON Data in Workfront Fusion: Is parseJSON Mandatory

Views

115

Likes

0

Replies

2