Authenticate with API Key

API Key Authentication

Secure your Cetmix Tower webhooks with simple and reliable API key–based authentication.

This Hangar template provides a reusable Webhook Authenticator that validates incoming requests using an API key sent in the X-Api-Key HTTP header. It ensures that only trusted systems can access your webhook endpoints.

Key Features

• Header-based authentication using the X-Api-Key header.

• Secure key comparison using hmac.compare_digest to prevent timing attacks.

• Centralized secret storage using Tower secrets.

• Reusable authenticator that can be attached to multiple webhooks.

• Clear HTTP responses for authentication failures.

How It Works

1. The webhook receives a request.

2. The authenticator reads the X-Api-Key header.

3. The value is securely compared with a secret stored in Tower.

4. If the key matches, the request is allowed.

5. If it fails, the request is rejected with an appropriate HTTP status.

Security Behavior

The authenticator validates several conditions:

• Missing header → 401 Unauthorized

• Invalid API key → 401 Unauthorized

• Missing server secret configuration → 500 Server Error

• Valid key → request allowed

Secret Management

The expected API key is stored as a Tower secret, keeping credentials out of code and allowing secure key rotation.

Typical Use Cases

This authenticator is ideal for:

• Website contact form integrations

• External automation tools

• CRM or marketing platform integrations

• Internal service-to-service communication

• Any webhook requiring lightweight authentication

Result

By attaching this authenticator to your webhook endpoints, you add a secure access layer that protects your Tower automation workflows from unauthorized requests.