Auth0 Home Blog Docs

Hooks and secured API call

hooks

#1

Scenario:

  • user registers using the auth0 lock to my application
  • auth0’s webhook on post user creation must call my API endpoint let’s say POST /api/user so I can have a replica of the data and save it in my own database

Now how can I secure the endpoint in order to be called only from the auth0 webhook?


#2

If I remember correctly, our API uses proxy that only allows calls from Auth0 whitelisted IP address only. That works for both custom DB scripts and Hooks.

Heads up! If you are trying to access a service behind a firewall, make sure to open the right ports and allow inbound connections from these IP addresses: 35.167.74.121,35.166.202.113,35.160.3.103,54.183.64.135,54.67.77.38,54.67.15.170,54.183.204.205


#3

Thanks for your reply
So by allowing request only from those IP I can secure my endpoint?

At the moment I’m using a secret key as an authorization api-key
Axios.post(“myendpoint”,{user},
{
Authorization: `Api-Key ${context.webtask.secrets.apikey}`
})

This way I allow request only from the auth0 webhook.
But I’m not sure if this is a safe method