How to deal with :protect_from_forgery with typeform webhook post request

Looked through the phoenix documentation and I couldn’t find any information on how to deal with invalid CSRF token using :protect_from_forgery.

Currently I have a typeform webhook that makes a POST request to my API whenever someone completes my form.

In my router.ex file I have this:

  if Mix.env() in [:dev, :test] do
    import Phoenix.LiveDashboard.Router

    scope "/" do
      pipe_through [:fetch_session, :protect_from_forgery]

      post "/", ApiWeb.PageController, :index

      live_dashboard "/dashboard", metrics: ApiWeb.Telemetry

When I tested my webhook, my API returned a 403 error saying invalid CSRF token.

When I removed :protect_from_forgery, my API returns a 201.

What I’m trying to do is include :protect_from_forgery and still return a 201 from the typeform webhook call. What am I supposed to do?

maybe you can pass the csrf token to the typeform?
(never used it, no idea whether it’s possible)
then the typeform could also submit the token along with the post data.

Simply have a different plug pipeline for API requests that doesn’t include the CSRF check.

hey @sc4224

if you are trying to prevent someone to submit things into webhook handler endpoint you should probably use the built-in typeform signature.

Typeform signs every payload sent with the secret of your choice. If the signature does not match it means it does not come from Typeform and should not be taken into account.

Here is the documentation

Unfortunately, there is Elixir sample at the moment.