24
votes

I'm currently using SendGrid's Inbound Parse Webhook to feed emails to my application. I've been able to get it working by pointing the URL to an endpoint which my application has exposed. SendGrid just sends the email in the form of a JSON format HTTP POST request to this endpoint and I just process each request internally.

My question is, now that I have it working, how do I ensure that only SendGrid can use this endpoint? At the moment, anyone can utilise this HTTP POST endpoint and pretend that an email has been sent to the application.

Can I get SendGrid to send some sort of unique key to identify themselves? Is there a way I can restrict by ip address?

1
Do not restrict by ip address, according to the docs they keep changing it.Diogo Gomes

1 Answers

28
votes

There are two ways which you may secure your endpoint. SendGrid's webhooks support basic auth (e.g. https://user:[email protected]/endpoint). You can also implement a unique key, that you check before acting upon the request (e.g. https://example.com/endpoint?key=123).

The simple answer, however, is anything that you add to the URL can act as unique authentication for SendGrid.