Webhook Security
Token Management
Webhook tokens are secrets — they grant the ability to post messages to your channels without authentication.
Never commit webhook tokens to version control. Use environment variables
or a secrets manager.
Token Storage
- Tokens are hashed (SHA-256) before storage in the database
- The plaintext token is only shown once at creation time
- If compromised, delete the webhook and create a new one
Token Rotation
There is no token rotation endpoint. To rotate a token:
- Delete the existing webhook
- Create a new webhook on the same channel
- Update your integration with the new URL
Best Practices
- Store tokens in environment variables, not code
- Use HTTPS for all webhook requests (enforced by the API)
- Monitor webhook usage via the management endpoints
- Delete unused webhooks promptly
