I think this sums it up. There's a PR in a review that I think would handle what you're asking, but it's not completed yet.
or embed the form via htmlembed
I haven't checked but mybe brevo form has a webhook api too, then it can be used with webhook form
I'm kind of embarrassed to admit this, but I've been waiting for that PR and didn't even think of creating my own custom form until this suggestion. Duh.
The pull request is still open. Webhook forms without the possibilty to authenticate are useless and insecure. I don‘t understand, why it took so long, to add some basic authentications. It‘s the same as in the cms features.
Of course you can put the whole form in a htmlembed. But this feels like we are in the nineties - not in 2025😉.
Wrong. Webhooks are not insecure, the url is never exposed on the client.
I don't think, that a hidden URL should be the only security feature when it comes tu CRUD operations. For only reading its maybe acceptable, but not for updates and delete. Thats why you can add security to most webhooks, even in n8n. It´s still insecure, as soon as somebody gets the URL 😉
It's not like an e2e encryption level secure, but the hook url can contain a hash that can't be guessed and isn't exposed anywhere ... so its secure enough for most use cases
Webhooks is kinda a most used pattern for forms, all platforms support it
Resource as part of wehook form will be suported at some point as you see in that PR.
We want this feature just as much as you do.
But this feels like we are in the nineties - not in 2025 😉
Rude.
Sending data for CUD operations to a webhook without authentication is insecure. The Main Concept of webhooks is to inform another application not for building insecure api endpoints. Yes, you can build this with n8n, but you should‘t do that. Thats why you can add authentification to n8n webhooks.
Are we going to argue about definition of the word "secure" in every context of it's meaning?
No, but in my opinion you have a wrong understanding, of what a webhook is made for. It‘s for sharing events with other Applications not for a full API endpoint - wich is offering CRUD operations.
Ofc I am wrong, nobody is using webhooks for submitting forms.
Nobody said webhooks are full API endpoints.
Maybe you should read a little bit about webhook security. It‘s not about the webhook or api endpoint, it‘s about the usage and the data your sending to it.
And since you are offering a form builder, you can never know wich data it will handle. So it‘s important to build it secure.
Sir. I don't know who you are trying to teach here. Fully aware of the potential downsides. I am quitting this discussion because this is not productive in any way.
Sending data for CUD operations to a webhook without authentication is insecure.
Doesn't auth header, JWT token etc is not enough for authentication?
Or every webhook provider in the internet is wrong?
Let's on real example, what is wrong, and how it should be?
Or, the question is: which is more secure for server-to-server communication?
A hook with a key in the path or a hook that checks a specific header?
Both are equally secure for server-to-server communication.
In both cases, an attacker would need to discover the key.
In browser environment above is not true
Url in browser environment considered unsecure because of browser history and various other reasons.
I think he doesn't understand that this is server-to-server communication.
Most things were right few years ago, but now server logs are reducted and sanitized so no leaks are possible
yeah, also good luck with hacking logging infra
maybe just hack https when you are at it
Progress does not stand still, and a huge number of vulnerabilities that were known in the past are now almost impossible to reproduce or are highly theoretical. Most security recommendations were once written in blood but are no longer relevant.
A theoretically secure key can still be compromised through log reduction, just like a random ID might not look like an ID. If someone with log access (but no direct DB access) finds the key, they could misuse it. Fortunately, we’re a small company with no dedicated log readers. Since our log retention is only a few days for now, we’ll reconsider our security model when that changes.
In any case, we are human and can make mistakes. If you have a specific example of something wrong, we’d be happy to take a look.
For me it is a matter of course to use secure webhooks instead of a public URL whose only security is that nobody knows it at the moment. You can read this article
https://snyk.io/de/blog/creating-secure-webhooks/. It descripes the best security practices. I want only that it is possible to use an authenticate connection.
You still don't understand how it works on webstudio. We are not sending a request to a webhook from the client.
I am locking this discussion, because it has wasted our time a lot. Independent of this Webhook Form will get accesss to Resource in the future, but that's not because current webhook is insecure.
