Authenticatie
Real-time webhook debugging voor Nederlandse developers
Every WebhookWatch endpoint is protected by API keys. Learn how to generate, rotate, and securely store your credentials so your webhook data stays private.
Bearer Token via HTTP Header
WebhookWatch uses a simple bearer-token scheme. Attach your API key to every request using the Authorization header. The key is validated server-side before any webhook payload is accepted or returned.
curl -X POST https://api.webhookwatch.nl/v1/endpoints \
-H "Authorization: Bearer wwhk_live_3f8a9b2c1d4e5f6a7b8c9d0e1f2a3b4c" \
-H "Content-Type: application/json" \
-d '{"url": "https://mijnapp.nl/webhook", "secret": "whsec_s3cr3t"}'
Keys prefixed with wwhk_live_ are production keys. Keys prefixed with wwhk_test_ route traffic to our sandbox environment and never touch production data. Both types share the same rate limit of 600 requests per minute.
Generate, Rotate, Revoke
Manage your API keys from the WebhookWatch dashboard under Settings → API Keys. You can create up to five active keys per project, each with its own label and scope.
Generate a New Key
Click Create API Key in the dashboard. Give it a descriptive label like production-app or ci-pipeline. The full key is shown only once at creation time — copy it immediately and store it securely.
Rotate Keys Safely
When rotating, generate the replacement key first, update your application to use it, verify webhooks flow correctly, then revoke the old key. Both keys remain valid during the transition window, so no requests are dropped.
Revoke Immediately
If a key is compromised, revoke it instantly from the dashboard. Revocation is effective within 60 seconds across all edge nodes. All in-flight requests using the revoked key receive a 401 Unauthorized response.
# Example: Creating a key via the management API
curl -X POST https://api.webhookwatch.nl/v1/keys \
-H "Authorization: Bearer wwhk_live_3f8a9b2c1d4e5f6a7b8c9d0e1f2a3b4c" \
-H "Content-Type: application/json" \
-d '{"label": "staging-deploy", "scope": "read-write"}'
# Response
# {
# "id": "key_9x2m4k7p",
# "key": "wwhk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
# "label": "staging-deploy",
# "created_at": "2025-01-15T09:23:41Z"
# }
Protect Your Keys in Production
How you store your API keys matters as much as the keys themselves. Follow these practices to keep your webhook data safe.
Environment Variables Only
Never hardcode keys in source files. Store them in environment variables and reference them at runtime. On Linux/macOS, add them to your .env file or use your shell's export command. In Docker, pass them via -e flags or a .env file mounted into the container.
Restrict Key Scope
Use read-only keys for monitoring scripts and CI/CD pipelines that only inspect webhook logs. Reserve read-write keys for applications that actively create or modify endpoints. This limits blast radius if a key leaks.
Audit Key Usage
The dashboard logs every request with the key ID used. Review the Activity Log weekly to spot unfamiliar IP addresses or unexpected request patterns. Set up email alerts for keys that haven't been used in 30 days — they may belong to decommissioned services.
# .env file (add to .gitignore)
WEBHOOKWATCH_API_KEY=wwhk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
WEBHOOKWATCH_ENDPOINT_SECRET=whsec_s3cr3t_k3y_f0r_s1gn1ng
# Node.js example
const apiKey = process.env.WEBHOOKWATCH_API_KEY;
const response = await fetch('https://api.webhookwatch.nl/v1/endpoints', {
method: 'POST',
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
url: 'https://mijnapp.nl/webhook',
secret: process.env.WEBHOOKWATCH_ENDPOINT_SECRET
})
});
For teams using infrastructure-as-code, integrate key management with tools like HashiCorp Vault, AWS Secrets Manager, or GitHub Actions encrypted secrets. WebhookWatch keys never need to be committed to version control.