Hooks and secured API call


  • user registers using the auth0 lock to my application
  • auth0’s webhook on post user creation must call my API endpoint let’s say POST /api/user so I can have a replica of the data and save it in my own database

Now how can I secure the endpoint in order to be called only from the auth0 webhook?

If I remember correctly, our API uses proxy that only allows calls from Auth0 whitelisted IP address only. That works for both custom DB scripts and Hooks.

Heads up! If you are trying to access a service behind a firewall, make sure to open the right ports and allow inbound connections from these IP addresses:,,,,,,

Thanks for your reply
So by allowing request only from those IP I can secure my endpoint?

At the moment I’m using a secret key as an authorization api-key
Authorization: `Api-Key ${context.webtask.secrets.apikey}`

This way I allow request only from the auth0 webhook.
But I’m not sure if this is a safe method

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?