Webhooks & APIIntegrations

Custom Shared Secret

Any system that can send a custom request header

The Shared Secret mode is the simplest option — Wexio generates a random secret, the partner sends it as the x-webhook-secret header on every POST, and bcrypt-compares it on receive. No signature math, no timestamp tolerance.

Use this when:

  • The partner is a no-code tool (Make, Zapier, n8n, IFTTT, Pabbly, Retool) that lets you configure arbitrary request headers.
  • The partner is your own backend and you control both sides.
  • The partner supports neither HMAC nor any of Wexio's named provider modes — but can send a custom header.

Setup

1. Wexio connection

New connection → Inbound. Leave Auth mode: Shared Secret (the default).

Wexio generates a random secret and shows it once on creation. Copy it now — if you lose it, use Rotate secret later.

2. Configure the partner

Depending on the tool:

  • HTTP module / node / action — set the header x-webhook-secret to the generated value. Set Content-Type: application/json and send a JSON body.
  • Webhook destination with a "custom headers" option — same, add x-webhook-secret.
  • Your own backend — add the header in your HTTP client when you POST.

3. Contact resolution, schema, flow

Same as every inbound — identifier + path, capture schema, bind a Webhook Received trigger.

Security Considerations

  • The secret travels on the wire — HTTPS is your transport protection. Only use this mode over HTTPS.
  • No per-body signature. A proxy that modifies the body (e.g. re-compresses, reformats JSON, strips whitespace) will not break the auth — but it may break the schema inference if the shape changes.
  • Replay protection via idempotency. Send X-Idempotency-Key with a stable per-event ID on retries — Wexio dedupes replays within the retention cache.
  • Rotate on compromise. If you suspect the secret leaked, rotate immediately from the Wexio UI. The old value stops working the moment you rotate.

Troubleshooting

SymptomFix
UNAUTHORIZED: Invalid secretWrong or missing x-webhook-secret header. Copy the secret fresh from Wexio
Sporadic 401sYou rotated the secret in Wexio but didn't update the partner. Update both sides together
The secret shown once is goneUse Rotate secret on the connection; every partner must be updated

When to Use a Named Provider Mode Instead

If the partner is Stripe / Slack / Svix / Paddle / Revolut / GitHub / Shopify / etc., prefer their named mode. You get body-level signature verification (protects against replay and tampering) and replay tolerance tuned to the provider's retry policy.

Custom HMAC

Connect any provider that signs with HMAC-SHA256 over the raw body

Ops Usage

Understand how operations are consumed across Wexio

On this page

Setup1. Wexio connection2. Configure the partner3. Contact resolution, schema, flowSecurity ConsiderationsTroubleshootingWhen to Use a Named Provider Mode Instead