Novu Cloud workers will need to be able to communicate with your Bridge Endpoint. You will need to ensure that your firewall rules allow traffic from the internet. Due to the autoscaling nature of Novu Cloud, we don’t have a set of IP Addresses that you can whitelist.


Novu Cloud workers are GDPR, SOC2 type II and ISO 27001 compliant. We take security very seriously and have implemented a number of security measures to ensure that your data is safe. Novu Framework has a builtin security mechanism that ensures that the requests are authentic from Novu Cloud using an HMAC signature.

HMAC Verification is turned on by default

export const client = new Client({
  secretKey: process.env.NOVU_SECRET_KEY,
  strictAuthentication: process.env.NODE_ENV !== "development", // set to true by default

For local development with Studio strictAuthentication should be set to false.

The X-Novu-Signature header included in each signed event contains a timestamp and one or more signatures that we verify. The timestamp is prefixed by t=, and each signature is prefixed by a scheme. Schemes start with v, followed by an integer. Currently, the only valid live signature scheme is v1.

Handling the signature verification is done by the Novu Framework, so you don’t need to perform any action.