Skip to content
HookBridge Docs

Pull Verification Options

Why You Would Use This

Section titled “Why You Would Use This”

Verification settings let you define what a valid incoming webhook looks like before HookBridge stores it. This blocks spoofed or malformed traffic at ingestion instead of polluting your stored events with bad data.

Pull endpoints support the same verification options as inbound endpoints.

Available Options

Section titled “Available Options”
  • verify_static_token: require a known token value in a header or query param.
  • verify_hmac: require a valid HMAC signature header.
  • timestamp_header_name + timestamp_ttl_seconds: enforce timestamp freshness when verifying signed requests.
  • verify_ip_allowlist: require sender IP to be in configured CIDR ranges.
  • ingest_response_code: choose the 2xx code returned on successful ingest.

Console Workflow

Section titled “Console Workflow”
  1. Open Endpoints and switch to Pull.
  2. Open the pull endpoint you want to configure.
  3. Enable only the verification modes your provider supports.
  4. Enter required headers/secrets/CIDRs and save.
  5. Send a test webhook from your provider and confirm the event appears in the stored events list.

API Workflow

Section titled “API Workflow”

API reference:

Configure verification at creation

Section titled “Configure verification at creation”
Terminal window
curl -X POST https://api.hookbridge.io/v1/pull-endpoints \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Stripe Events",
    "verify_hmac": true,
    "hmac_header_name": "Stripe-Signature",
    "hmac_secret": "whsec_abc123",
    "timestamp_header_name": "Stripe-Signature",
    "timestamp_ttl_seconds": 300,
    "event_type_source": "body",
    "event_type_path": "type"
  }'

Update verification on an existing endpoint

Section titled “Update verification on an existing endpoint”
Terminal window
curl -X PATCH https://api.hookbridge.io/v1/pull-endpoints/YOUR_PULL_ENDPOINT_ID \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "verify_hmac": true,
    "hmac_header_name": "X-Signature",
    "hmac_secret": "YOUR_PROVIDER_HMAC_SECRET",
    "timestamp_header_name": "X-Webhook-Timestamp",
    "timestamp_ttl_seconds": 300,
    "verify_ip_allowlist": true,
    "allowed_cidrs": ["203.0.113.0/24"],
    "ingest_response_code": 202
  }'
Personalize Examples

Enter your credentials to populate code examples throughout the docs.