Origin for webhooks

Hi, I need to manage cors on my app to allow only certain origins on my endpoints. I’m using Dato webhooks to call some of my endpoints. Which origin should be allowed to let these request in?

Thanks!

Hello @felix.proulx

The IP origin for the included webhooks is fully dynamic unfortunately.
If you’d like you can use the custom payloads to setup an authentication system if you’d like

Or, if you do need some webhooks with static IPs, contact us at support@datocms.com as we have some payed packages for that option we can discuss

Hi,

Thanks for the fast answer.

I already use the custom headers for authorization but the client is pretty serious about security and I would like to provide a solution that would take into account the possibility that the token could be stolen and prevent using the endpoint form elsewhere.

I figured the origin domain + the token would we enough but it’s unclear to me what domain should be allowed in cors to let webhooks requests in.