Verify webhook authenticity and implement security best practices
Webhook security is critical to ensure that requests to your endpoint are actually coming from Firecrawl and haven’t been tampered with. This page covers how to verify webhook authenticity and implement security best practices.
Firecrawl signs every webhook request using HMAC-SHA256 encryption with your account’s secret key. This creates a unique signature for each request that proves:
Your webhook secret is available under the Advanced tab of your account settings. Each account has a unique secret that’s used to sign all webhook requests.
Keep your webhook secret secure and never expose it publicly. If you believe
your secret has been compromised, regenerate it immediately from your account
settings.