Incoming webhook url exposed


We are currently hosting enterprise mattermost for a company with daily 800 users. There are a few incoming webhooks that are being used. I was just wondering whether or not there is a possibility to limit who can use the webhook URL. It seems that if the url is known then anyone can send a message using that webhook.

Is this by design or are there any way of restricting the possibility of using the url for within the organisation?

I have seen that there was a PR on github but it hasnt been accepted yet.

Best regards,


Hi again,

Is there anyone who can answer the question above?

Iā€™m not aware of a current workaround, but there is a pull request in progress by a community member which is currently being reviewed by our dev team:

1 Like