Secure Your Data with Webhook Signatures

Secure Your Data with Webhook Signatures

We've added a major security upgrade to Basin: Webhook Signatures. Every webhook you send from Basin now automatically includes an X-Basin-Signature header.

Why This Matters Now

Most of your submissions come from the public, and Basin already does the heavy lifting of filtering out spam and phishing. But what happens if an attacker finds the webhook URL (like n8n, Zapier, or a custom backend) where we send your clean data?

If they hit that URL directly, they bypass Basin's spam filters entirely. Webhook signatures fix this:

• Stop Direct-to-Webhook Attacks: By verifying the payload HMAC against your unique Signing Secret, your receiving server can guarantee the request came from Basin and hasn't been tampered with. It essentially "locks the door" so your webhook endpoint only listens to Basin.
• Safer AI Agents & OpenClaw: If your webhooks trigger AI workflows or agentic actions (like an OpenClaw setup executing tasks based on form input), letting attackers bypass spam filters is incredibly dangerous. Verification ensures your AI agents strictly execute commands from verified, spam-filtered Basin submissions.

How It Works

It’s already live! We’ve assigned a unique Signing Secret to all your existing webhooks.

1. View your Signing Secret on the Webhooks settings page.
2. In your receiving app, use the secret to compute an HMAC SHA256 hash of the incoming request body.
3. Compare it to the X-Basin-Signature header (it uses standard sha256= formatting). If they match, the payload is verified!

We’d love to hear your feedback on this security update!