How-To Secure Contrast Webhooks

  • Updated


Add a secret to webhooks from Contrast so that the webhook consumer can verify the source of the webhook is indeed Contrast.


The webhook must already have been created in Contrast before adding a secret.

For EOP customers, the Contrast UI version must be 3.9.7 or later.


First, use the API to pull a list of all webhooks configured for your organization, for example, using cURL:

  1. Log into Contrast  --> click on profile --> "Your account" and gather the following:
    • Organization ID
    • API Key
    • Authorization Header
  2. Using the information gathered above, run the following cURL command to retrieve a list of all existing webhooks:
curl -X 'GET' \
'https://<instance>$ORGANIZATION_ID/webhooks' \
-H 'accept: application/json' \
-H 'Authorization: $AUTHORIZATION'\
-H 'Api-Key: $API_KEY'

Next, identify the desired webhook in this response and set it as $WEBHOOK_ID, then add one or more secrets in the form of headers as in the following example:

curl -X 'PUT' \
'https://<instance>$ORGANIZATION_ID/webhooks/$WEBHOOK_ID/secret' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-H 'Authorization: $AUTHORIZATION' \
-H 'Api-Key: $API_KEY' \
-d '{
"headers": [
"name": "$SECRET_NAME1",
"value": "$SECRET_VALUE1"
"name": "$SECRET_NAME2",
"value": "$SECRET_VALUE2"

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request