Stripe Webhook Authentication Error

Need help APIs
1

I’m setting up a stripe webhook to listen for subscription cancellations.

I successfully initialized the webhook and sent data from Stripe to Bubble.

Then, I removed the “Initialize” at the end of my endpoint URL and tested it again.

This time Stripe gave me an error…

image

{
“error_class”: “Unauthorized”,
“args”: {
“code”: “1647185057144x214012127239536540”
},
“message”: null,
“translation”: “You must authenticate to call this method”
}

I have the stripe app and the stripe.js app installed with the correct keys - is there something else I need to do to Authenticate?

2 Likes
2

Hi there @ian11,

In your backend workflow you need to let it run without authentication.

4 Likes
3

Doh! Of course. So simple… thank you!

4

Is this a good practice?
API worflows which are activated by stripe webhooks deal with payments and sensitive data. Don’t want anybody who isnt stripe activating this workflow. There must be a way to check for authentication.

2 Likes
5

I haven’t figure out a way to pass in a key in stripe for the webhook.

6

Second to this, I had the same problem but it was due to my account being on the FREE version of bubble. Upgrade and you should see a difference if you’ve tried the authentication without prevail.

7

You can do this but it’s unsecured. ANyone can pretend to be stripe and send data to your endpoint.
Read posts on ‘authenticating’ stripe webhooks for workarounds

2 Likes
8

I had this same problem.

Leave “this workflow can be run without authentication” box UNchecked.
Go to your Bubble settings > API > Generate a token or use what’s already there > go to your Stripe webhooks > at the end of the URL type:
?api_token=“your token”
save > re-run your workflow event. No more authentication error AND you don’t have to run it without authentication.

All credit goes to the team at Cranford Tech. For a video demonstration, check out their video Shopping Cart Payments with Multiple Sellers (Stripe Connect) - Bubble.io Tutorial. Particularly time 17:16-28:29

9

That’s no super safe either. If someone hacks your Stripe account or sees the link of your webhook URL somewhere they would have an admin API token to your app

What I’ve been doing is:

  1. Creating an API endpoint, not requiring authentication, and ignoring privacy rules
  2. Creating an option set with Stripe’s webhook IPs
  3. Add a condition to my backend WF to only run when the cf-connecting-ip contains one of the IPs in that option set. (make sure to check “detect headers” when you’re initializing your backend workflow)
1 Like
10

I like that better. User security is paramount