Flows created with the “When a HTTP request is received” trigger can be executed by anyone that knows the URL. This post covers details how to secure the HTTP trigger by using a trigger condition.
I have created a simple two step flow that sends me an email when the flow is triggered:

Using a condition within the flow to compare a value passed in the HTTP works, but will consume a flow run.
Secure the Trigger with a condition to evaluate if the flow should execute
A better method is to use the Trigger Conditions functionality to test if a flow should execute. Trigger conditions must evaluate to true or false, there is a good introduction to trigger conditions here. I will demonstrate the basic premise with an example.
First, access the trigger settings by clicking on the ellipses of the HTTP Trigger:

Set a condition for the trigger, if this condition does not evaluate to true, the flow will not run:

I am passing the header “runKey” to the HTTP Request and testing to see if it matches a random string. Here is the code:
@equals(triggerOutputs()['headers']['runKey'],'FSgWPsAEBDP6epQZ')
The advantages of trigger conditions are:
- It does not execute at all if the condition is not met.
- The flow executes faster as there is no condition within the flow.
- Your run history is cleaner (it only shows if the condition was met).
- The flow is less complicated.
Build the required trigger expression
Instead of writing the trigger condition manually, let Power Automate build it for you. Create a compose action in your flow that evaluates to true or false and copy the code into the trigger condition.

Testing the security with PowerShell
I tested execution of the HTTP trigger in Powershell with the following code:
$flowURI = "https://prod-31.westeurope.logic.azure.com:443/workflows/..." $messageSubject = "Testing HTTP Security Trigger" $messageBody = "Execution test from Powershell" $params = @{"messageSubject"="$messageSubject";"messageBody"="$messageBody"} $headers = @{'runKey' = 'FSgWPsAEBDP6epQZ'} Invoke-WebRequest -Uri $flowURI -Method POST -Headers $headers -ContentType "application/json" -Body ($params|ConvertTo-Json)
In my run history I can see all of the data that PowerShell transferred:
{ "headers": { "Expect": "100-continue", "Host": "prod-31.westeurope.logic.azure.com", "User-Agent": "Mozilla/5.0,(Windows NT; Windows NT 10.0; en-GB),WindowsPowerShell/5.1.18362.752", "runKey": "FSgWPsAEBDP6epQZ", "Content-Length": "115", "Content-Type": "application/json" }, "body": { "messageSubject": "Testing HTTP Security Trigger", "messageBody": "Execution test from Powershell" } }
I hope this helps, if you have any clever ideas to add to this method, please let me know!