What IPs to whitelist for the webhook callback?

soodie

Hello,

When an event happens in smartsheet, we are trying to post data to a webhook URL but do not know what URL to whitelist. We tried "aws.relay.smartsheet.com" but this is not working. Any guidance here?

jmyzk_cloudsmart_jp

Hi @soodie

According to the Smartsheet API documentation (https://smartsheet.redoc.ly/tag/webhooks/#section/Webhook-Security), Smartsheet does not publish a static list of IP addresses for webhook callback requests. Instead, they recommend a more secure and reliable method of verifying webhook authenticity by using a "sharedSecret" with HMAC-SHA256 signature validation.

Important Note:
You cannot provide your own sharedSecret when creating a webhook. Smartsheet automatically generates the shared secret and includes it in the API response after the webhook is created. It is your responsibility to securely store that shared secret (e.g., in a secure secret manager like Google Secret Manager, AWS Secrets Manager, or Azure Key Vault).

Recommended Approach:
When you create a webhook, Smartsheet assigns a unique sharedSecret to it. Smartsheet uses this secret to compute a cryptographic signature (HMAC-SHA256) of the request body, which it includes in the Smartsheet-Hmac-SHA256 HTTP header for each webhook event.

On your server, you can then:

1. Read the raw request body and the Smartsheet-Hmac-SHA256 signature header.
2. Retrieve the correct sharedSecret for the webhook (e.g., by matching the sheetId or webhookId).
3. Recompute the HMAC using the retrieved sharedSecret and the request body.
4. Compare your computed value with the received signature.

If they match, you can be confident that the request came from Smartsheet and was not tampered with in transit.

This method is far more secure and preferred over IP allowlisting, especially since Smartsheet's webhook infrastructure may send requests from dynamic or cloud-based IPs (e.g., AWS), which can change without notice.

Official Documentation:
https://smartsheet.redoc.ly/tag/webhooks/#section/Webhook-Security/HMAC-SHA256-Signatures

Hope this clears things up!

soodie

@jmyzk_cloudsmart_jp Our problem is we cannot get smartsheet to reach our network. The question was centered around what do we whitelist in our company's firewall as we block all requests from unknown IPs. Do we just have to whitelist "aws.relay.smartsheet.com"?