UiPath Documentation
integration-service
latest
false
Integration Service user guide

HTTP Webhook authentication

Connect UiPath to your webhook provider and configure webhook challenge verification or header-based authentication.

Prerequisites

Your webhook provider may require a handshake. Refer to the Webhook challenge verification section for details on how to configure the challenge verification.

Depending on where you create the trigger, the generated webhook URL will appear either in the HTTP Webhook trigger activity or on the trigger creation page, but only after the connection is created successfully. To avoid failures, paste the webhook URL into your application after you publish your workflow or the trigger is successfully created in UiPath Orchestrator.

Creating an HTTP Webhook connection

  1. Select Orchestrator from the product launcher.

  2. Select a folder, and then navigate to the Connections tab.

  3. Select Add connection.

  4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.

  5. In the What application is this webhook for field, enter a descriptive name for the webhook application, something that makes it easy to identify which vendor or integration this connection represents. This value becomes the Connection Identifier.

  6. (Optional) Configure header-based authentication.

    If you want UiPath to validate every incoming webhook request, from the Authentication Type dropdown select Header Based Authentication, then specify:

    • Header key — the HTTP header the vendor uses to send the credential (for example, X-API-Key or X-API-Secret).
    • Header value — the secret value the vendor sends in that header (for example, a1b2c3d4e5f6789...). This field is masked and stored securely. You can also use a credential asset for this field.

    Configure the same header key and value in the vendor's webhook settings. If the values don't match at runtime, UiPath rejects the request with HTTP 401.

    For more information, see Webhook header authentication.

  7. Configure the Challenge location
    Choose how the vendor will send the challenge token so that UiPath can respond correctly:

    • No challenge - the vendor does not require a handshake, and you can proceed to connect.
    • Query parameter (e.g., ?challenge=...)
    • JSON body (POST with { "challenge": "..." })
    • Header (e.g., X-Hub-Challenge)
  8. Configure the challenge verification and connect
    If the vendor requires a handshake, enter the challenge verification that matches the vendor's pattern (which field/header/query to read and how to echo/validate it). When configuration is complete, select Connect.

    Where available, select the menu next to a field and choose Use credential asset or Use Orchestrator asset to reference an Orchestrator asset instead of entering the value directly. For more information, see Use credential assets for connections.

Tip:
  • Use a name that includes the vendor and environment (for example, Stripe-prod or Slack-staging) to avoid confusion.
  • If you're unsure which challenge pattern the vendor uses, check their webhook docs or run a test registration to inspect the handshake request.

Webhook challenge verification

Some vendors require webhook URLs to be validated before they start sending real events. This is done using a challenge–response mechanism. When you register a webhook, the vendor sends a special challenge request, and the endpoint must respond exactly as expected.

The HTTP Webhook connector supports these verification flows through the Webhook Challenges Framework, allowing you to configure how UiPath should read and respond to vendor challenges.

Challenge verification support

UiPath supports both types of vendor webhook behaviors:

  • Vendors that do not use challenge verification
  • Vendors that require a challenge handshake before activating the webhook

This ensures compatibility with simple webhook providers as well as those with more advanced security requirements.

When vendors do not use challenge verification

Many applications simply accept a webhook URL and start delivering events immediately.
For these vendors:

  • Users only need to create or select a connection.
  • Copy the webhook URL.
  • Paste it into the vendor's webhook configuration.

No additional steps are required. The webhook becomes active as soon as the vendor starts sending events.

This is the most common and simplest scenario, and UiPath handles it seamlessly.

When vendors do require challenge verification

Some vendors send a challenge request to verify the webhook URL before enabling it.
In these cases:

  • Users must configure the challenge response in the HTTP Webhook connection.
  • UiPath listens for the vendor's challenge request.
  • UiPath automatically returns the correct challenge value based on the configuration.
  • Once the vendor validates the response, normal events begin to flow.

Because vendors differ in how they send the challenge (query param, JSON body, header, etc.), UiPath's configuration allows users to handle any of these patterns.

This ensures compatibility with webhook providers that enforce security handshakes such as Slack, Meta (Facebook/Instagram), Stripe, and others.

Configuring challenge verification

You configure challenge behavior using four parameters:

  • Challenge Key
    Field/key containing the challenge value. Used to detect challenge requests (must not be null).

  • Challenge Location
    Where the key appears:

    • Body
    • Query parameter
    • Header
  • Challenge Response Content Type
    Format of the response returned back to the vendor:

    • text/plain
    • application/json
  • Challenge Response Format
    Defines which value is returned (usually the challenge key itself).
    UiPath extracts the value from the incoming challenge and responds accordingly.

Challenge configuration examples

Generic example
Incoming request
 {
  "challenge": "ABC123"
 }
 {
  "challenge": "ABC123"
 }

Configuration

  • Challenge Key: challenge != null
  • Challenge location: Body
  • Response Type: text/plain
  • Response Format: challenge
Response

ABC123

WhatsApp challenge verification example

WhatsApp uses the query parameter–based challenge method with hub.challenge.

Configuration
ParameterValue
Challenge Keyhub.challenge != null
Challenge LocationQuery parameter
Challenge Response Content Typetext/plain
Challenge Response Formathub.challenge
Vendor request

GET https://your-webhook-url?hub.challenge=1234567890

Expected UiPath response
HTTP/1.1 200 OK
Content-Type: text/plain

1234567890
HTTP/1.1 200 OK
Content-Type: text/plain

1234567890

This confirms ownership, and WhatsApp begins sending real webhook events afterward.

Summary—Generic vs WhatsApp
StepGeneric ExampleWhatsApp Example
Challenge LocationBody / Query / HeaderQuery
Key FomatSimple key (e.g., challenge)Key with dot ("hub.challenge")
Response Typetext/plain or application/jsontext/plain
Response ValueValue of the keyValue of "hub.challenge"
MethodPOST or GETGET only

Examples by vendor pattern

Example 1: Simple body challenge with text response
Vendor sends

{"challenge":"abc123","type":"url_verification"}

FieldValue
Challenge locationBody
Challenge keychallenge
Challenge response content typetext
Challenge response formatchallenge

Response: abc123 (text/plain, 200)

Example 2: Query param challenge with text response
Vendor sends

GET /webhook?challenge=CHALLENGE_STRING

FieldValue
Challenge locationQuery Parameter
Challenge keychallenge
Challenge response content typetext
Challenge response formatchallenge

Response: CHALLENGE_STRING (text/plain, 200)

Example 3: Body challenge with JSON response
Vendor sends

{"challenge":"abc123"}

FieldValue
Challenge locationBody
Challenge keychallenge
Challenge response content typejson
Challenge response format{ "challenge": "challenge" }

Response: {"challenge":"abc123"} (application/json, 200)

Example 4: Nested body path (e.g., verification.token) with text response
Vendor sends

{"verification":{"token":"abc123"}}

FieldValue
Challenge locationBody
Challenge keyverification.token
Challenge response content typetext
Challenge response formatverification.token

Response: abc123 (text/plain, 200)

Example 5: Deeply nested path with JSON response
Vendor sends

{"event":{"challenge":"abc123","type":"verify"}}

FieldValue
Challenge locationBody
Challenge keyevent.challenge
Challenge response content typejson
Challenge response format{ "result": "event.challenge" }

Response: {"result":"abc123"} (application/json, 200)

Example 6: Header-based challenge (hyphenated header name) with text response
Vendor sends

POST /webhook x-webhook-challenge: abc123

FieldValue
Challenge locationHeader
Challenge key"x-webhook-challenge"
Challenge response content typetext
Challenge response format"x-webhook-challenge"

Response: abc123 (text/plain, 200)

Note:

The header name contains hyphens, which can be misinterpreted as operators in parsing contexts. Wrapping the identifier in double quotes (e.g., "x-webhook-challenge") ensures it is treated as a literal key name. Always use double quotes around any identifier that contains hyphens, dots, or other special characters.

Example 7: Boolean detection with different response key
Vendor sends

{"type":"url_verification","challenge":"abc","token":"legacytoken"}

Want to detect by type field but respond with challenge value.

FieldValue
Challenge locationbody
Challenge keytype == url_verification``
Challenge response content typejson
Challenge response format{ "challenge": "challenge" }

Response: {"challenge":"abc"} (application/json, 200)

Webhook header authentication

Header-based authentication lets UiPath validate every incoming webhook request against a shared secret you configured at connection creation. This prevents unauthorized callers from triggering your workflows by posting to your webhook URL.

How it works

When header-based authentication is enabled on a connection, Integration Service:

  1. Checks every incoming request for the configured header key.
  2. Accepts the event if the header is present and its value matches the stored secret.
  3. Returns HTTP 401 Unauthorized and does not trigger any workflow if the header is absent or its value does not match.

webhook header authentication

Example request that UiPath accepts:

POST /webhook HTTP/1.1
Host: <your-uipath-webhook-url>
X-API-Key: a1b2c3d4e5f6789...
Content-Type: application/json

{ "event": "..." }
POST /webhook HTTP/1.1
Host: <your-uipath-webhook-url>
X-API-Key: a1b2c3d4e5f6789...
Content-Type: application/json

{ "event": "..." }

Example request that UiPath rejects (header missing or value wrong):

HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized

Configuration fields

The following table describes the fields that enable you to configure webhook header authentication on the connection creation screen.

FieldDescriptionExample
Authentication TypeEnables or disables header validation for this connection.Header Based Authentication / None
Header KeyName of the HTTP header the vendor sends.X-API-Key, X-API-Secret
Header ValueSecret value the vendor sends in that header. Masked at rest.a1b2c3d4e5f6789...

Vendor compatibility

Header-based authentication only works with vendors that let you configure a custom HTTP header on outbound webhook deliveries.

If you're unsure whether your vendor supports outbound custom headers, check the vendor's webhook documentation.

Updating or rotating the secret

When you edit the connection and change the header value, the new value takes effect immediately for all triggers using that connection. The vendor's configuration must be updated with the new value at the same time, or the vendor's deliveries will fail with HTTP 401 until you do.

Behavior when authentication fails

A request is rejected with HTTP 401 Unauthorized if:

  • The expected header is absent from the request.
  • The header is present but its value does not match the stored secret.

Failed requests are not retried by UiPath, and no trigger event is dispatched. The vendor's own retry behavior (if any) applies.

Authentication failure traces can be viewed in the Traces section. To help protect our systems from DoS attacks, authentication failure traces are limited to 5 per hour.

Important notes

  • Header-based authentication is connection-scoped. All triggers created against the same connection share the same header key and value — updating the connection's secret affects every trigger using it.
  • Header-based authentication is independent of challenge verification. Either, both, or neither can be enabled on a connection.
  • The header value is stored encrypted and should be handled with the same care as any other credential.
  • Header names are case-insensitive per the HTTP specification (X-API-Key and x-api-key are equivalent).

Was this page helpful?

Connect

Need help? Support

Want to learn? UiPath Academy

Have questions? UiPath Forum

Stay updated