For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Help CenterAPI KeysStatusSign In
GuidesAPI ReferenceChangelog
GuidesAPI ReferenceChangelog
  • Getting started
    • Overview
    • Quickstart
    • Authentication
    • Rate limits
  • Messaging API
    • Send transactional email
    • Send transactional SMS
    • Send transactional WhatsApp
  • Marketing Platform
    • Manage your contacts
    • Track website activity
    • Send WhatsApp campaigns
    • Weekly event exports
  • Webhooks
    • Getting started
    • Conversations webhooks
    • Payment webhooks
    • Marketing webhooks
    • Transactional webhooks
    • Loyalty webhooks
    • Batched webhooks
    • Secure webhook calls
    • Meetings and phone webhooks
    • Push notification webhooks
    • Sales CRM webhooks
  • Conversations
    • Getting started
    • Customize the chat widget
    • JavaScript API reference
    • REST API reference
    • Conversations webhooks
  • eCommerce
    • Activate eCommerce app
    • Manage product categories
    • Manage products
    • Manage orders
    • Coupon collections
    • eCommerce tracker events
  • Loyalty
    • Overview
    • Set up a program
    • Enroll members
    • Credit & debit points
    • Read member data
    • Best practices
  • Custom Objects
    • Custom objects management
  • Brevo tracker and events
    • Getting started
    • JavaScript implementation
    • REST implementation
    • Legacy tracker documentation
    • Events
  • Accounts and settings
    • Senders and domains
    • User activity logs
    • External feeds
    • Invited users
LogoLogo
Help CenterAPI KeysStatusSign In
On this page
  • Whitelisting our webhook IPs
  • Username and password authentication
  • Bearer token authorization
  • Cloudflare headers authorization
Webhooks

Secure webhook calls

Was this page helpful?
Previous

Meetings and phone webhooks

Next
Built with

If your notify URL supports authentication methods, define them when creating the webhook instance.

Whitelisting our webhook IPs

This is the most basic way to ensure your resource is only accessible from our IP ranges. Add the range to your API configuration. CIDR ranges are listed here.

Username and password authentication

The username and password are appended to the url parameter on the endpoint. The format is https://username:password@example.com/. A sample cURL request:

curl --location 'https://api.brevo.com/v3/webhooks' \
--header 'content-type: application/json' \
--header 'api-key: xkeysib-{api-key}' \
--data '{
    "description" : "string",
    "url" : "https://username:password@hook.znapi.cc/ix0v9dsy",
    "events" : ["sent"],
    "type" : "transactional"
}'

The API key is required by default to authenticate the API endpoint request. The cURL request above creates a webhook for transactional emails using the sent event, authenticated by adding the username and password to the URL.

Bearer token authorization

If your notify URL uses token-based header authentication, define it as follows when creating the webhook object.

1curl --location 'https://api.brevo.com/v3/webhooks' \
2--header 'content-type: application/json' \
3--header 'api-key: xkeysib-{api-key}' \
4--data '{
5    "description" : "string",
6    "url" : "https://example.com/notifyurl3234121232",
7    "events" : ["sent"],
8    "type" : "transactional"
9    "auth":{
10             "type":"bearer",
11             "token":"client-token"
12    }
13}'

Cloudflare headers authorization

Cloudflare authorization is handled by adding headers in the Create/Update a Webhook endpoint. You can add any values as request headers. An example cURL request:

1curl --location 'https://api.brevo.com/v3/webhooks' \
2--header 'content-type: application/json' \
3--header 'api-key: ' \
4--data '{
5    "description" : "string",
6    "url" : "https://example.com/notifyurl3234121232",
7    "events" : ["sent"],
8    "type" : "transactional",
9    "headers":[
10          {
11              "key":"client-id",
12              "value":"1234clientidvalue"
13          },
14          {
15              "key":"client-secret",
16              "value":"5678clientsecretvalue"
17          }
18     ]
19}'

Send a request to the endpoint with any values as headers; multiple headers are supported. These headers are used for authentication when a webhook event is triggered to the URL.