Authentication Types

Alloy webhook authentication supports multiple methods to ensure secure communication. Here are brief descriptions of each:

Basic Auth — Your endpoint receives an Authorization: Basic base64(username: password) header on each request and validates the credentials. See Basic Authentication for more information.

OAuth 2.0 — Alloy obtains a bearer token and presents it on each webhook request. Your endpoint then validates the token before processing the webhook. Alloy supports the Client Credentials and Password (Resource Owner Password Credentials) grant types. See OAuth2.0 for more information.

HMAC — Alloy signs the request body with a shared secret and sends the signature in the Authorization header. Your endpoint recomputes the HMAC over the received body and compares. Unlike the sender-authentication methods above, this also verifies that the payload was not altered in transit. Consider using HMAC authentication when payload integrity verification is a specific requirement. See HMAC for more information.

📘

Note: OAuth 2.0 and Basic Auth authenticate the sender by confirming the caller holds valid credentials. HMAC additionally verifies payload integrity. For most webhook consumers, sender authentication over HTTPS is sufficient; HMAC is only needed when you specifically need to detect body tampering.