How would you secure this API?

I might just give up and use Supabase edge functions, but I wanted to ask how the below might work securely?

1. A user clicks a button
2. This triggers an API call to a webhook (that I’m hosing on n8n)
3. The webhook receives the API call and then executes a worklow on n8n.

On step #2 & #3, if the webhook does not have authentication enabled, anyone on the web can just ping my webhook which would kick off my automation (bad!). I can set up custom authentication credentials on the webhook, but how do I store these credentials so that front-end users cannot see the credentials exposed on the request?

Thanks!

I don’t think this is possible. You would have to store the auth info client-side. I’d go with an edge function and use the supabase auth.

Depends on what auth you use. You could generate JWT tokens and then verify them in n8n via the JWT secret. Would need some more infos

Interesting. I’d need to dig more into that @Broberto, but thankfully there are some Supabase/Stripe tutorials I’ve been following that are allowing me to make some progress. Supabase is probably the “proper” way to build this sort of thing too I’d imagine.

Yes, with Supabase you have the auth and you don’t even need to do stuff like generatimg and resolving your own JWT as Supabase has it covered.