Stripe Webhook Authentication

Stripe’s webhook documentation says they support basic authentication. If I generate an API token in Bubble, how do I set this up in Stripe?

Does it just need to go in the URL?

I know I could run the API endpoint without authentication, but I’d rather not.

@csblack Did you ever figure out the best way to authenticate on Stripe?

No, I don’t think I ever got an answer to this one.

@emmanuel Hi Emmanuel, should we be authenticating endpoints with Stripe? If there is no authentication, is it possible for someone to send data to an endpoint that is not Stripe? It looks like in your example you do not use authentication…

Yes, because what we use is the event id, that uses the Stripe plugin and our key. So if someone malicious wants to hit our API wf, the wf won’t run because the event id won’t be valid. Look at the workflow.

Emmanuel… I’m not understanding how the use of the event id provides a level of authentication. Can you please elaborate on this?

@kevin4 were you able to find out a way to use stripe endpoint without marking “This endpoint can be run without authentication” as checked?

i can help you setup your stripe webhook, if i can take a look at your setup

Sorry, I just saw this now, 4 months later. The short answer is “no”, but I found some documentation somewhere about why that isn’t a problem and why it can’t be abused. I’m not sure where I found that documentation, but I moved on at that point and worked on other aspects of the application.

Can you base64 decode the Bubble token ?

Then add that to the webhook URL?

So no…

  1. Decoding a Bubble Basic token doesn’t give you a username:password
  2. You can’t URL encode it and pass it as there are invalid characters
  3. You can’t pass a user email and password from your app

erm… so no.

What you could do is use the signing secret to check if it was Stripe that sent it. But that looks complicated!