Skip to main content

Authentication

For Custom endpoints, you can choose from three authentication methods so your receiver can verify that the request actually came from Recho.

info

Slack / Teams / Email endpoints already carry authentication in the URL or email address itself, so authentication is Custom-only.

NONE (no authentication)

Requests are sent without authentication headers or signatures. Use this only when your endpoint URL is closely held and hard to guess.

warning

For production traffic, prefer one of the methods below.

BEARER (Bearer token)

A token issued in the dashboard is attached to every request in the Authorization header.

Request headers

Authorization: Bearer <your-token>
Content-Type: application/json

Receiver-side verification

  • Compare the value against the token you registered for this endpoint.
  • Reject with 401 on mismatch.

Managing the token

  • Create: From the credentials dialog on the Webhook settings page.
  • View: Once created the token can be revealed and copied at any time.
  • Update / delete: Through the same dialog.

SIGNATURE_RSA_SHA256 (RSA signature verification)

Recho signs each request with a private key; you verify the signature with the matching public key. Because the secret never leaves Recho, this method has the lowest leak risk and is the recommended choice.

Request headers

X-Recho-Signature: <base64-encoded-signature>
X-Recho-Timestamp: <unix-epoch-seconds>
Content-Type: application/json

Receiver-side verification steps

  1. Build the signed string: <timestamp> + "." + <raw-body>.
  2. Verify the RSA-SHA256 signature against the public key you registered.
  3. Confirm the timestamp is within an acceptable window (e.g. ±5 minutes) to prevent replay attacks.
  4. Reject with 401 if any of the above fails.

Managing the public key

  • Obtain: Copy the public key from the credentials dialog.
  • Visibility: Public keys are not secret and remain visible at all times.
  • Rotation: Issuing a new key replaces the active public key.

Recommendations

  • For production traffic, strongly prefer SIGNATURE_RSA_SHA256.
  • Use BEARER when a lightweight check is sufficient — keep the token secure and rotate it periodically.
  • Use NONE only in narrow scenarios such as private internal networks.