We implemented webhooks as HTTP calls from our infrastructure to any URL.
So for each subscription to our webhooks, you can configure to what URL(s) we should send the notification. However, the headers and body of the HTTP request are not configurable (please get in touch if this is an issue for you).
Consequently, to secure your webhooks, you should provide us with a HTTPS URL that contains the authentication key to send to your API.
Few examples to illustrate this:
# Valid secured URLs
'https://my-api.com/defacto-callback?apikey=3204830482'
'https://my-api.com/[email protected]&password=azerty'
'https://my-api.com/webook-callback?source=defacto&token=3204830482'
# Invalid URL
'http://my-api.com/webook-callback?source=defacto&token=3204830482' # HTTPS is not used -> very insecure