Authentication

The simplest option — no credentials are sent with the webhook request. This works because platforms like Zapier, Make, and n8n use unique, randomly generated URLs that act as the secret. Only someone who knows the exact URL can send data to the endpoint. When to use: Zapier catch hooks (the URL contains your unique hook ID), Make custom webhooks (the URL contains your webhook ID), n8n webhook nodes (the URL contains a unique path). These platforms verify requests based on the URL alone. No authorization header is added to the request. This is the default for all platform templates in Chattlebot.

Basic authentication sends a username and password with every request, encoded as Base64 in the Authorization header. The format is 'Authorization: Basic {base64(username:password)}'. When Chattlebot sends the webhook, it automatically combines your username and password, encodes them, and adds the header — you just enter the credentials in the form. When to use: legacy APIs that require HTTP Basic Auth, internal services with simple username/password protection, older CRM or database APIs. Basic auth is simple but sends credentials with every request, so always use it over HTTPS to prevent interception.

Bearer token authentication sends a token in the Authorization header as 'Authorization: Bearer {your_token}'. This is the most common authentication method for modern APIs. The token is typically an OAuth2 access token, a JWT (JSON Web Token), or an API-generated token from the service youre connecting to. When to use: OAuth2 APIs (after obtaining an access token), JWT-based services, modern API platforms (Stripe, Twilio, SendGrid, etc.), any API documentation that says 'include your token in the Authorization header'. Enter your token in the Token field — Chattlebot handles adding the 'Bearer' prefix and Authorization header automatically.

API Key authentication sends your key in a custom header. Unlike Bearer tokens which always use the Authorization header, API keys can use any header name the API requires. You specify both the header name (e.g., 'X-API-Key', 'X-Auth-Token', 'Api-Key') and the key value. When to use: APIs that require a specific custom header for authentication, services that issue API keys (as opposed to OAuth tokens), platforms that document authentication as 'include your API key in the X-API-Key header'. Common header name patterns include X-API-Key, X-Auth-Token, X-Access-Key, and Api-Key. Check your API's documentation for the exact header name expected.

Keeping your webhook connections secure is essential. All credentials in Chattlebot — passwords, tokens, and API keys — are encrypted at rest using industry-standard encryption. They are never stored in plain text and never exposed in logs or error messages. Beyond Chattlebot's built-in protections, follow these practices: Never share webhook URLs that contain secrets in the query string. If a URL includes an API key or token as a parameter, treat it like a password. Rotate tokens periodically — set a calendar reminder to update Bearer tokens and API keys on a regular schedule (e.g., every 90 days). Use HTTPS only — never configure a webhook URL with 'http://' (without the 's'). Plain HTTP sends your credentials and data unencrypted over the network. If you suspect a token has been compromised, rotate it immediately in your API provider's dashboard and update the credential in Chattlebot.