Example: Sending to a Secure API (Custom Headers)

Most real-world APIs are not public. They require an API key, a Bearer token, or some other form of authentication in the request headers.

HookMux's Custom Headers feature (available on paid plans) is designed for this. It allows you to securely store authentication secrets for each destination.

This guide shows how to send webhooks to a private API that requires an Authorization: Bearer <token> header.

Step-by-Step Guide

  1. Create Your Source: First, create a Source in HookMux to receive your webhooks (e.g., from GitHub).
    • Webhook Name: GitHub - My Project
    • Allowed HTTP Methods: (select both GET and POST)
    • Custom Endpoint URL: Enter a unique URL slug or leave empty for a randomly-generated URL slug.
  2. Create Your Destination:
    • On the Webhooks page, click the "View" button to the newly created source.
    • Click the "+ Add Destination" button
    • Destination URL: The URL of the service of which you want to redirect the webhook to.
    • Allowed HTTP Methods: GET & POST(We allow both GET & POST request to be sent to the service above)
    • Click Create Destination
  3. Add Your Secret Header:

    • In the source page you opened in Step 2, find the newly created destination card, and click the expand button (noted with icon).

    • Click at the "Custom Headers" accordion trigger to expand the custom headers settings.

    • Now to start adding/updating/deleting the custom headers, click the menu button (the button) and click "Start Edit".

    • Fill in the key-value pair for your API's authentication:
      • Name: Authorization
      • Value: Bearer sk_live_mysecretkey12345abcde
  4. Save your changes: Click "Add".

The Result

You're all set. Now, when a webhook arrives at your GitHub - My Project Source, HookMux will:

  1. Receive the payload from GitHub.
  2. Find your My Private API (Production) destination.
  3. Create a new HTTP request to your API.
  4. Copy the payload from GitHub, and add your custom Authorization header to the request.
  5. Your API receives the request, validates the Bearer token, and accepts the payload.

Security Note:

Your secret (Bearer sk_live_...) is end-to-end encrypted in our database as soon as you hit save. It is never stored in plain text and is only decrypted in memory during the webhook delivery process.