Unprotected Calendly Webhook: Node accepts payloads without authentication/verification

It would help if there was a node for:

An update to the Calendly Trigger node that includes automatic webhook signature verification.

My use case:

I am using the Calendly Trigger to automate internal processes. Currently, the webhook URL generated by n8n is “open”—it accepts any JSON payload (e.g., from Postman) without requiring authentication or verifying that the data actually came from Calendly.

In my testing, I was able to trigger the workflow with a manual payload despite having OAuth credentials configured. This creates a security vulnerability where unauthorized users could trigger workflows or inject false data if they discover the URL. The node should automatically validate the X-Calendly-Signature header against a signing key to ensure data integrity.

Any resources to support this?

Calendly provides documentation on how to verify webhook signatures using a signing key:

• Calendly Developer Docs: Webhook Security & Signatures

Are you willing to work on this?

I am reporting this as a security improvement/feature request. I am happy to provide further testing or details from the user perspective, but I would need a developer from the community or the n8n team to implement the signature verification logic in the node’s code.

Valid point on the security hardening. It really comes down to classification.

Since n8n webhooks are public by default and can be secured via IP/Auth, the real gap here is the lack of native Calendly signature verification. We already see this implemented in the Slack trigger, so adding it to Calendly is a reasonable ask.

If you feel this crosses into ‘vulnerability’ territory, I’d suggest hitting up their official security channel. If not, keeping this as a public feature request for hardening works fine. Report a vulnerability

@tamy.santos

Thank you very much for your feedback and hint - I just reported the vulnerability.