How Do Webhook Security Measures Work When Frontend Sends Requests?

You're right on many counts! Any authentication done client-side can be manipulated. If you want to track visitors more accurately, like with Google Analytics, you can add a JWT to your tracking code. This helps filter out fake traffic from bad bots. Sure, it’s not foolproof, but using authenticated users helps in refining your data significantly.

I think there might be some confusion between a user token and a secret key here. A JWT token is usually unique for each user. The process generally goes like this: when a user visits your site and logs in, they receive a JWT which is saved locally in a cookie. When the frontend needs to call the webhook, it retrieves this JWT and includes it with the request. Then on the webhook side, you can validate that the JWT corresponds to an authorized user.

Webhooks really shouldn't be triggered from the frontend; they’re mainly for server-to-server communication. Typically, the frontend should interact with your backend through standard authenticated endpoints, which keeps the webhook calls secure. The backend would then use private credentials to call the webhook. If the frontend has the token and directly accesses the webhook, you're essentially exposing a private API instead of using webhooks correctly.

You're correct that anything on the frontend is visible to attackers, which is why secrets should only be managed on the server side. Webhooks are meant to be triggered by backend services, not from the user's browser. So remember this flow: browser -> your secure backend -> webhook endpoint. If the browser directly talks to the webhook, you're not actually implementing a secure structure.