Menu

Webhook Headers & Authentication

When integrating Flarie with external systems, security is essential, especially when handling sensitive user data.
To ensure your webhooks remain trusted and protected, Flarie provides simple yet flexible authentication options and full control over request headers.

In this guide, you’ll learn how to securely authenticate your webhooks step-by-step.
By following best practices for authentication, you can ensure that your integrations are safe, verified, and reliable—every time an event is triggered in your Game or Game Center.

Whether you're connecting to internal APIs or third-party platforms, these settings help you ensure that only authorized sources can communicate with your endpoints—keeping your data and integrations secure.

Request Configuration

Flarie Studio supports three authentication types for webhook requests:
1. None 
No authentication will be included in the request header.
Use this only for public endpoints or testing environments.

2. Flarie Authentication (recommended)
This option automatically includes a Bearer token in the Authorization header using your account’s API Access Key.
Authorization: Bearer <accessKey>
Learn how to enable API Access Key in Flarie Studio here
Tip: Verifying this token on your endpoint adds an extra layer of security, ensuring requests genuinely originate from Flarie and not from unauthorized sources.


3. Custom Authentication 
Choose Custom Authentication if your endpoint requires specific credentials.
Basic Auth 
Use this when the endpoint requires a username and password for access.
Enter your Username and Password in the provided fields. 
These values are automatically encoded and sent in the request header as: Authorization: Basic <base64(username:password)>
The credentials are encoded using Base64 before being sent.)

Bearer Token
Use this when the endpoint requires an access token instead of a username/password.
Enter your Token in the provided field.
The request will include the token in the Authorization header as: Authorization: Bearer <your_token_here>

Custom HeadersYou can add Custom Headers to include additional key–value pairs in your webhook request.
These headers are sent along with the request and can be used for things like custom authentication, metadata or identifying your application.

Use the “Add Header +” button to create as many headers as you need.

Example
If your receiving endpoint requires a specific API key, you can add:

Header Name: x-api-key
Header Value: 12345-ABCDE

This will be sent as part of the request:
x-api-key: 12345-ABCDE

You can also combine this with Basic Auth or Bearer Token if your endpoint requires both custom headers and authentication.

 

X-Signature Header Signed with Secret Key (optional)

Learn how to enable Secret Key in Flarie Studio here

You can further enhance webhook security by enabling the X-Signature header, signed using your Secret Key.
When enabled, every webhook request from Flarie includes:

X-Signature: <HMAC-SHA256 signature>

This signature is generated by hashing the raw JSON payload using your account’s Secret Key.
It acts as a digital signature, allowing you to verify both the integrity and authenticity of each request.

Here’s a simple Node.js example to verify the signature:

const crypto = require("node:crypto");

// Example payload (exact JSON string from the request body)
const payload = // your json payload from the webhook
const payloadString = JSON.stringify(payload);

// Your Secret Key from Flarie Studio
const secretKey = "your-secret-key";

// Generate the expected HMAC-SHA256 signature
const calculatedSignature = crypto
.createHmac("sha256", secretKey)
.update(payloadString)
.digest("hex");

// Compare with the X-Signature from the request header
const xSignature = "X-Signature-in-the-header";

if (xSignature === calculatedSignature) {
console.log("✅ Payload is authentic and unmodified")
} else {
console.log("⚠️ Payload is modified")
}

Adding this verification step is optional—but highly recommended for any critical or sensitive integrations.

 

Need additional help setting up your integration? Contact Us