Noting that in addition to the option of including the API key in the webhook URL, it can alternatively be in the header.
We mention both in the docs, but it wasn't super clear before. The Docs and Workflows teams actually saw this topic, so they made an update to make the docs wording more clear/visible! Thanks @Shawn_Optipath @ZeroCodez for working to arrive at a solution to this topic and surfacing that this was confusing. Our teams do regularly monitor the forums for ways to improve both the docs and the product!
Previous docs wording:
The cURL request provided uses
X-Workflow-Api-Keyheader to authenticate webhook requests. You can also use theworkflowApiKeyquery parameter to authenticate webhook requests. While query parameters may be required by some 3rd party webhook integrations, be wary that this secret API key may be logged by those systems and Retool while logging requests to that url.
Updated docs wording: Trigger workflows with webhooks | Retool Docs
You can authenticate webhook events by using one of the following in the request:
- The
X-Workflow-Api-Keyheader.- The
workflowApiKeyquery parameter.
Retool recommends using
X-Workflow-Api-Keyheader unless your intended usage only supports query parameters (e.g., third-party integrations). Be wary when including the secret API key as a query parameter as it can be logged since it is part of the URL.