Webhooks

Secure webhook calls

If your notify URL supports authentication methods, define them when creating the webhook instance.

Whitelisting our webhook IPs

This is the most basic way to ensure your resource is only accessible from our IP ranges. Add the range to your API configuration. CIDR ranges are listed here.

Username and password authentication

The username and password are appended to the url parameter on the endpoint. The format is http://username:password@example.com/. A sample cURL request:

curl --location 'http://api.brevo.com/v3/webhooks' \
--header 'content-type: application/json' \
--header 'api-key: xkeysib-{api-key}' \
--data '{
    "description" : "string",
    "url" : "https://username:password@hook.znapi.cc/ix0v9dsy",
    "events" : ["sent"],
    "type" : "transactional"
}'

The API key is required by default to authenticate the API endpoint request. The cURL request above creates a webhook for transactional emails using the sent event, authenticated by adding the username and password to the URL.

Bearer token authorization

If your notify URL uses token-based header authentication, define it as follows when creating the webhook object.

1curl --location 'http://api.brevo.com/v3/webhooks' \
2--header 'content-type: application/json' \
3--header 'api-key: xkeysib-{api-key}' \
4--data '{
5    "description" : "string",
6    "url" : "https://example.com/notifyurl3234121232",
7    "events" : ["sent"],
8    "type" : "transactional"
9    "auth":{
10             "type":"bearer",
11             "token":"client-token"
12    }
13}'

Cloudflare headers authorization

Cloudflare authorization is handled by adding headers in the Create/Update a Webhook endpoint. You can add any values as request headers. An example cURL request:

1curl --location 'http://api.brevo.com/v3/webhooks' \
2--header 'content-type: application/json' \
3--header 'api-key: ' \
4--data '{
5    "description" : "string",
6    "url" : "https://example.com/notifyurl3234121232",
7    "events" : ["sent"],
8    "type" : "transactional",
9    "headers":[
10          {
11              "key":"client-id",
12              "value":"1234clientidvalue"
13          },
14          {
15              "key":"client-secret",
16              "value":"5678clientsecretvalue"
17          }
18     ]
19}'

Send a request to the endpoint with any values as headers; multiple headers are supported. These headers are used for authentication when a webhook event is triggered to the URL.