SAVEFORM
Documentation

Webhooks · Last updated April 23, 2026

Authentication

Most chat and automation webhook URLs embed the secret in the URL itself — Slack, Discord, Zapier, n8n — so no extra auth is needed. For your own backend or any API that expects an Authorization header, SaveForm supports four auth modes.

Auth types

TypeHeader(s) added
noneNo auth headers added. The URL is the secret.
bearerAuthorization: Bearer <token>
api_key_headerAny header name (for example X-API-Key) plus its value.
basicAuthorization: Basic <base64(user:pass)>

Bearer token

Pick this for most modern APIs. Paste the token in and SaveForm sends it as:

HTTP
Authorization: Bearer sk_live_abc123…

API key header

Some APIs want a custom header name (X-API-Key, X-Auth, etc.). Specify both the header name and value — SaveForm sends it verbatim.

HTTP
X-API-Key: sk_live_abc123…

Basic auth

Useful for legacy endpoints, reverse proxies, and internal tooling. SaveForm base64-encodes username:password and sends:

HTTP
Authorization: Basic dXNlcjpwYXNzd29yZA==

Custom headers

Need extra static headers on top of (or instead of) the auth above? Paste them as JSON in the Custom headers box:

JSONcustom-headers.json
{
  "X-Environment": "production",
  "X-Team-Slug":   "acme-inc"
}

Identifying SaveForm

Every webhook request includes these identifiers so you can verify the origin without extra setup:

HTTP
User-Agent:              SaveFormIO-Webhook/1.0
X-SaveForm-Webhook-Id:   wh_01HT…

Signed request bodies (HMAC) are on the roadmap — if you need them sooner, drop a note via the FAQ page.

Webhook authentication | SaveForm.io