Configuration and security
Guidance on authenticating, retrying, and protecting your Recurly webhook endpoints.
This section covers how Recurly handles webhook retries, how to authenticate incoming webhook requests, and ways to secure your endpoint.
Prerequisites and limitations
- Configure HTTP Basic Authentication if you wish to verify incoming requests.
- Restrict access to Recurly’s IP ranges (see IP Whitelisting link below).
- Web-application firewalls (e.g., ModSecurity) may block webhook traffic unless adjusted.
Key details
If Recurly fails to deliver a webhook, it will retry it (see Automatic Retries, below).
Webhooks support HTTP Basic Authentication to verify the request came from Recurly's servers.
Please see our IP Whitelisting documentation for the current list of Recurly IPs.
You may refuse other IP addresses at your endpoint or firewall.
ModSecurity Users
Recurly does not endorse any specific web server or plugin, but if you run Apache with ModSecurity, you may need to disable rule #990011 so webhook requests are not blocked.
Updated 2 days ago