Check out our new GPU Glossary! Read now
Modal logo
IntroductionCustom container images Defining ImagesPrivate registriesFast pull from registryGPUs and other resources GPU accelerationUsing CUDA on ModalReserving CPU and memoryScaling out Scaling outDicts and queuesJob processingConcurrent inputs on a single container (beta)Dynamic batching (beta)Scheduling and cron jobsDeployment Apps, Stubs, and entrypointsManaging deploymentsInvoking deployed functionsContinuous deploymentSecrets and environment variables SecretsEnvironment variablesWeb endpoints Web endpointsStreaming endpointsWeb endpoint URLsRequest timeoutsWebhook tokens (beta)Networking Tunnels (beta)Proxies (beta)Data sharing and storage Passing local dataVolumesMounting local files and directoriesStoring model weightsDataset ingestionCloud bucket mountsNetwork file systems (superseded)Sandboxes SandboxesRunning commandsNetworking and securityFile accessSnapshotsPerformance Cold start performanceMemory Snapshot (beta)Geographic latencyReliability and robustness Failures and retriesPreemptionTimeoutsTroubleshootingSecurity and privacyIntegrations Using OIDC to authenticate with external servicesConnecting Modal to your Vercel accountConnecting Modal to your Datadog accountConnecting Modal to your OpenTelemetry providerOkta SSOSlack notifications (beta)Other topics File and project structureDeveloping and debuggingModal user account setupWorkspacesEnvironmentsJupyter notebooksAsynchronous API usageGlobal variablesRegion selectionContainer lifecycle hooksParameterized functionsS3 Gateway endpoints

Webhook tokens (beta)

To prevent users outside of your workspace from discovering and triggering web endpoints that you create, Modal will check for the Proxy-Authorization header on HTTP requests to the endpoint. You can populate that header with tokens created under Settings > Webhook tokens.

By default, webhooks created by the web_endpoint, asgi_app, wsgi_app, or web_server decorators are publicly available. The optional field requires_proxy_auth protects your web endpoint by verifying a token passed in the Proxy-Authorization header. Requests without that header will receive the HTTP error 407 Proxy Unauthorized unless valid credentials are supplied.

import modal

@app.function()
@modal.web_endpoint(requires_proxy_auth=True)
def app():
    return "hello world"

To trigger the endpoint, create a Webhook token, which will generate a token ID and token secret that you use to prove the authorization of your request. In requests to the web endpoint, add the Proxy-Authorization HTTP header and supply your token in the header value. We use the Basic authentication scheme and expect base64 encoding of [TOKEN_ID]:[TOKEN_SECRET] for the credentials.

export TOKEN_ID=wk-1234abcd
export TOKEN_SECRET=ws-1234abcd
curl https://my-secure-endpoint.modal.run -H "Proxy-Authorization: Basic $(echo -n $TOKEN_ID:$TOKEN_SECRET | base64)"

Everyone within the workspace of the web endpoint can manage the tokens that will be accepted as valid authentication.