Webhook authentication using a secret key from Dentally?

I am setting up a webhook in a 3rd party tool. In setting up the webhook I am given a “secret”. This is a random string of letters and obviously needed for authentication.

I am unsure how to configure the webhook node to use this secret correctly.

Here is the documentation - https://developer.dentally.co/#create-a-webhook

Hi @Robm

This page is to create a webhook programatically.
Is not what you are looking for I think.

My first answer was wrong. :cry:
They are hashing it as Jon said, So no Auth needed here. It’s only for hashing purposes with the signature and secret etc.


You can add authentication to the webhook in this case the header auth:

doc to signing part:Dentally API
Does seem you get a hashed body, so might need to do some more after receiving the hook


1 Like

Hey @Robm,

It looks like you create that secret and they send a SHA256 sum along with each request using that key to sign it and you then need to verify it before processing the webhook. Technically you can just ignore it but it is there for security.

So when the body comes in to the webhook you will see a X-Dentally-Signature header, You will need to use the crypto node to generate your own signature with something like the below where $json[‘body’] is an expression to get the webhook body and the secret is the value from earlier.

Once you have done this add in an If node to do your comparison from the header and the one you have generated and if it matches all is good.

1 Like

Wow, ok let me try get my head around that.

Start with a webhook node. That will catch the incoming data but I wont be able to see the body right? I link the webhook node to the crypto node and configure the crypto node as you have shown. I am not quite following how to configure the $json[‘body’] as an expression. I assume I map it to whatever comes into the webhook node?

I am confused on the IF node and how to configure that. Would that be a node after the crypto node? can I get a for dummies explanation there? How would that be used to show the body of the webhook?

Something like this.

1 Like

thanks, its working and without needing the encryption step.


Hi @Robm

The encryption / signing of the body is to check if the body is valid. You don’t need it, but because they do provide it, why not. :slight_smile: