Webhook Authentication Methods

To ensure that your other systems recognize and accept webhooks from Bringg, you may need to include authentication data in your webhooks. To do this, add authentication methods in Bringg, then select the relevant authentication method when registering for individual webhooks.

Bringg supports the following authentication methods for webhooks:

JSON Web Token (JWT)This method consists of three parts: a header, a payload, and a signature. The header contains information about the type of token and the algorithm used for the signature. The payload contains the claims or information about the user or entity being authenticated. The signature is created by hashing the header and payload with a secret key to ensure the integrity of the token.
OAuth 2.0OAuth 2.0 provides multiple layers of security, requiring Bringg to access a token to include in your webhooks. To use OAuth 2.0, create an app in the receiving system to generate a Client ID and a Client secret for Bringg to use when requesting an authentication token.
You can determine if OAuth 2.0 data is included in webhooks as a form, JSON, or query strings.
Static HeadersInclude an authorization token or API key in the header of the HTTP request.

Authentication Examples

    "auth": {
      "type": "oauthBasic"
      "clientId": "your_ID",
      "clientSecret": "your_client_secret",
      "baseUrl": "your_URL",
      "path": "/oauth/token",
      "scope": "write:orders",
      "grant_type": "client_credentials" 
        "authenticator": {
            "bearer_name": "JWTBearer",
            "name": "jwt",
            "signature_header": "Authorization",
            "jwtConfig": {
                "header": {
                    "alg": "HS256"
                "payload": {
                    "sub": "bringg-event",
                    "aud": "your-audience",
                    "iss": "https://us2-admin-api.bringg.com",
                    "exp": 20160,
                    "iat": 0
                "signature": {
                    "key": "yourkey",
                    "type": "base64"
"headers": {
  "Authorization": "Bearer xxxxxxxxxxxx",
  "application-key": "xxxxxxxxxxxxxx"

Before You Begin

  • Confirm you have the Admin user type in ​Bringg.
  • Determine the requirements of the systems that are listening for webhooks from Bringg.
    • Check which authentication method they require.
    • List the specific fields that they require. For example, do scopes (access levels) need to be defined?
      You can find a list of possible fields for OAuth 2.0 and JWT below.
    • Generate and copy API keys.

Configure JWT or OAuth 2.0

  1. In Bringg, select your username from the sidebar, then select ​Settings > Platform Integrations > Authentication Methods.
  2. Select Add Authentication Method.
  3. Under Use for, select Webhooks.
  4. Enter a Display name for the authentication method that you and other members of your team will recognize. For example, you can enter the authentication type.
  5. Select the relevant authentication type ( JWT or OAuth 2.0).
  6. Enter the relevant details for the selected method:

OAuth 2.0

Client IDThis is the public identifier for your OAuth app and does not change, even when you regenerate the key. You can think of this as the app username.
Client secretThis is the key that Bringg uses to request an authentication token. You can think of this as the app password.
Authorization URLThis is where Bringg sends the token request, including your Client ID and Client secret key.
Path(Optional) A URL path includes a forward slash / and content following it. For example, in the URL for this article, the path is /docs/webhook-authentication-methods-copy.
Request typeThis determines how Bringg includes your OAuth data in webhooks:

- Form: included as form data in the body of the webhook HTTP request. The header Content-Type: application/x-www-form-urlencoded) instructs your listening system to parse the included form.

- JSON: included in the body of the HTTP request using JSON formatting.

- Query strings (qs): included in the HTTP request URL. This is generally considered less secure than the other options.
Scope(Optional) Scopes determine which data in the receiving system Bringg's webhooks can change. The structure of scopes varies and depends on the structure of your listening system, but they are typically formatted as access level: resource. For example, read:orders.
Select None to send an empty set of scopes, or select Enter your own to add the required scopes for this webhook.
Resource(Optional) This is the resource that the authentication method is requesting access to.
Headers(Optional) Add static headers to be included in all webhooks using this authentication method. Static heads are made up of key-value pairs.


Signature keyThis is the key provided by your receiving system and appears below the webhook payload as part of the signature object.
Token expirationThis indicates how long the token can be used before it expires, in minutes.
Issuer (iss)This is the identity of the entity sending the webhook (Bringg).
AlgorithmThis is the algorithm used to encrypt the signature key.
Audience (aud)This specifies the audience for your webhook. This is one way that your systems filter the payloads they receive.
Subject (sub)This is a unique identifier that is recognized by the recipient system. This could be an email or a tag like bringg-event.
Encoding(Optional) When base64 encoding is enabled, the header and payload are converted into ASCII string format, making it possible to send where text-based communication is required or preferred.
Not before (nbf)(Optional) This determines when the token becomes valid. It cannot be used "before" the specified time. This should be formatted in Unix epoch time.
Token TypeThis lets your listening system know the structure and format of the access token.
  1. Select Save to finalize your authentication method.
Images of adding OAuth 2.0 (left) and JWT (right) Authentication Methods

Images of adding OAuth 2.0 (left) and JWT (right) Authentication Methods

Configure static headers

You can configure static headers when subscribing to individual webhooks.

Edit or Delete an Authentication Method

  1. To update or remove an authentication method, open Bringg and navigate to Settings > Platform Integrations > Authentication Methods.
  2. Select the action menu next to the relevant method, then select Edit or Delete.



Depending on the configuration of your external systems, editing or deleting an authentication method can cause your webhooks to fail. Be sure to test your webhooks after making changes.

Subscribe to Webhooks

Once you create authentication methods, you can select the appropriate one for each webhook. Learn more about subscribing to webhooks.