User Guide

Settings & API Keys

Manage your API keys and use them to verify that forwarded requests genuinely came from Webhook Guard. Access it via Settings in the top navigation.

Settings page showing active API keys with Copy, Show, and Revoke actions, the Add API Key option, and a note about the maximum of 2 active keys
The Settings page showing active API keys and management actions.

API Keys

Webhook Guard attaches your API key to every forwarded request as the X-Webhook-Guard-Api-Key header. You can use this on your server to verify that the request genuinely came from Webhook Guard and not from an unknown third party.

Adding a New Key

  1. Click Settings in the top navigation.
  2. In the API Keys section, click Add API Key.
  3. The new key is displayed. Copy it immediately โ€” it will be masked after you navigate away.
  4. Add the key to your server's configuration so it can validate incoming Webhook Guard requests.
๐Ÿ’ก You can have up to 2 active API keys at a time โ€” useful when rotating keys without downtime.

Verifying Requests on Your Server

On your server, read the X-Webhook-Guard-Api-Key header and check its value against your stored API key(s). If you have multiple active keys (useful during key rotation), the header may contain a comma-separated list โ€” accept the request if any of the values matches one of your active keys. 

// Example verification (Node.js)
const incoming = req.headers['x-webhook-guard-api-key'] ?? '';
const keys = incoming.split(',').map(k => k.trim());
const isValid = keys.some(k => k === process.env.WEBHOOK_GUARD_API_KEY);

if (!isValid) {
  return res.status(401).json({ error: 'Unauthorized' });
}

Revoking a Key

  1. In the API Keys section, find the key you want to remove.
  2. Click Revoke next to that key.
โš ๏ธ Revoking a key takes effect immediately. You cannot revoke your last remaining key. To rotate safely: add a new key first, update your server configuration, then revoke the old key.

The Attempt Header

Every forwarded request also includes an X-Webhook-Guard-Attempt header. Its value is the attempt number: 1 for the initial delivery, 2 for the first automatic retry, and so on. Use this on your server to distinguish first-time deliveries from retries if needed.