Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi All,
I'm building an API/Webhook that can accept data sent by a form created in the JotForm.com service. So when a webform is submitted from the JotForm website, the data is also sent to a URL on my website which does some manipulation of the data. Is there a way to lock down the api so that only form posts sent from that particular JotForm address are processed?
Hey @bahamagician, Looks like you need a middleware where you check if the request originates from the JotForm server. If not do not process the request.
You could do this using $request->headers
Then apply this middleware for your route or on your method.
Sadly, I tried this but when I tried using $request->header('host') it returned the url of my api and not the jotform. Other than that, there's not any identifying headers sent with the request.
The way I would handle this type of use case is to use an API key to secure my endpoint.
you could create a signed url within your app with tinker and then add this to jotform as the place they should send to
it has no security other than only people who know the full signed link can post there
Please or to participate in this conversation.