Storing webhook authentication secrets

Ensure your webhook authentication secrets are safe and secure

Learn how to secure your webhook authentication secrets by reading this article. The primary goal is to give you an overview of how you can establish safety when using webhooks.

After reading this guide, you should know precisely how to keep malicious users away from your webhooks.


  • You know what webhooks are
  • You understand permissions and roles
  • You have access to your admin user or any other user with the webhooks.create permission

Read more about:

Storing webhook tokens

After creating a webhook, you are prompted to save its token. Mind, this token appears only once. After you’ve made the webhook, you cannot recover this token.

In the pop-up, you’re asked to secure the webhook secret safe and securely. But how do you do so?

Ideally, you want to store your webhook secret in a secret manager.

Best storage practices

We highly recommend you make use of a secret manager. They let you set up your environment variables per environment. Thus, guaranteeing your secrets to remain in your hands only. And not in someone else’s.

When choosing a secret manager, be sure to check if their security standards conform to industry standards. There are a lot of options, but you want to have the most secure one.

We recommend Doppler, which lets you synchronize your environment variables per system, environment, and individual. This means any person or system in your organization that needs access will have it.

Alternatively, you may consider HashiCorp Vault.

By utilizing secret managers to your advantage, you’ll bring yourself peace of mind, knowing that your organization is secure and safe from security risks.

Avoid these storage methods

While storing a snippet of information in your personal Slack channel is easy, fast, and convenient… it’s not secure. Not at all.

Unfortunately, many employees in organizations resort to such methods. They put sensitive information in a Google docs file, or at worst, even push client secrets to a public GitHub repository. Exposed for any curious visitor to see.

In any of such scenarios, the sensitive information becomes free to see and use for anyone. Furthermore, if the viewer is of the malicious kind, then within minutes, your processes could grind to a halt, your databases may get corrupted, and your confidential trade secrets could be breached.

Follow these three tips:

  1. Check if your team is storing secrets or security keys in a secret manager
  2. Tell everyone not to put such information in their private Slack, Discord, or Skype channels
  3. Create a policy that does not allow anyone to put security tokens in public files (be they Google docs, or your GitHub repository).