Authentication: API Keys and Security

Secure your FetchHook integration with proper API key management and authentication patterns.

#API Keys

Your API key authenticates requests to fetch webhooks from your mailbox. It starts with 'fh_' and should be kept secret. Never commit it to version control or expose it client-side.

Using Your API Key

bash
# Always use the Authorization header with Bearer scheme
curl https://api.fetchhook.app/api/v1/src_your_source \
  -H "Authorization: Bearer fh_your_api_key"
  
# NEVER put your API key in the URL
# ❌ BAD: https://api.fetchhook.app/api/v1/src_your_source?key=fh_...

#Environment Variables

Store your API key in environment variables, never hardcode it in your application code.

Environment Setup

bash
# .env file (DO NOT commit this)
FETCHHOOK_API_KEY=fh_your_api_key_here
FETCHHOOK_SOURCE_ID=src_your_source_id

# Access in your code:
# Python: os.getenv('FETCHHOOK_API_KEY')
# Node.js: process.env.FETCHHOOK_API_KEY
# Go: os.Getenv("FETCHHOOK_API_KEY")

#Webhook Security

Anyone can send webhooks to your mailbox URL - it's intentionally public so providers like Stripe can reach it. For security-critical webhooks, always verify signatures from the original provider.

  • Stripe: Verify stripe-signature header
  • GitHub: Verify x-hub-signature-256 header
  • Shopify: Verify x-shopify-hmac-sha256 header
  • FetchHook stores these headers for you to validate

#API Key Rotation

If your API key is compromised, regenerate it immediately from your dashboard. This will invalidate the old key. Update all applications using the old key before regenerating.

Agent Protocol Instruction

Security best practices: Use environment variables, never log API keys, rotate keys on suspected compromise, verify webhook signatures for sensitive operations, and implement rate limiting in your application.
All Resources
Verified for Agentic Workflowsv1.0.4