Taking your app to the next level.
WorkOS makes use of Cloudflare to ensure security and reliability of all operations. If you are looking to create a list of allowed IP addresses for incoming requests, you can use the IP Ranges listed in the Cloudflare documentation.
Handle edge cases You may occasionally receive duplicate webhook events. To prevent duplicate processing of events, we suggest caching received events and implementing logic to skip processing seen events.
Since webhook events may be delivered out of order, i.e. not in the order in which they were generated, be sure to handle accordingly. The issued_timestamp extracted from the WorkOS-Signature header can be used to determine order.
Register a production webhook URL in your Production Project.
Set and secure your Production Project's Webhook Secret.
Set and secure your Production Project's API key.
Ensure that your application can receive webhooks from WorkOS.
Depending on your network architecture, you may need to allow incoming traffic from api.workos.com.
WorkOS currently cannot guarantee that webhook traffic will originate from a static set of IP addresses.