Unauthenticated webhook in n8n
- Feb 12
- 1 min read
Updated: Feb 13
What this means (non-technical)
An unauthenticated webhook is a public URL that triggers your workflow without checking who sent the request. If someone knows the webhook URL, they can trigger it.
No password. No secret header. No validation.
What usually goes wrong
Anyone can call the webhook and trigger your automation.
If the workflow writes to a database, sends emails, or updates systems, outsiders can cause those actions to run.
Bots can repeatedly hit the webhook, consuming your server resources.
Because the request looks “normal,” it may not be obvious that it came from an unauthorized source.
This can lead to confusing data changes and unexpected costs.
When this becomes urgent
This becomes urgent when:
The webhook performs sensitive actions.
It updates or deletes data.
It sends customer-facing messages.
The n8n instance is publicly accessible.
The more powerful the workflow, the more risky an open webhook becomes.
Detect issues in your n8n workflows
|
Definitions
Webhook: A public URL that triggers a workflow when it receives an HTTP request.
Authentication: A way of verifying that the sender is allowed to access the endpoint.
Disclaimer
This article highlights common patterns and risks seen in real-world n8n workflows. It’s meant to help you build more confidently and avoid surprises as your automation grows. Behavior can vary depending on your setup, version, and configuration.