Skip to main content

Hi @basdebruin ,


I hope you’re doing well.


I’m new to monday.com and currently working on a quickstart-fullstack-react-node app. I’m facing a couple of challenges related to authentication and integration setup, and I would appreciate your guidance.


1. App Signing Secret for Authentication


To verify incoming requests from monday.com to my backend, I understand that I need to use the app’s signing secret. However, I’m unsure about:




  • How to obtain the signing secret for each user or account using the app.




  • How to securely store this secret in my backend—ideally in the .env file—and whether it changes per user or remains static for the app.




2. Custom Trigger and Custom Action Integration


I’ve built a custom trigger and a custom action in my monday.com app. Here’s how the flow is set up:



  • When an event occurs in my external system, it sends a payload to our middleware through a webhook.

  • The middleware processes this data and then forwards it to the webhook URL provided by the monday.com custom trigger.

  • This is supposed to trigger the custom action, which will then make an API request to monday.com (e.g., to update a board or item).


However, when the middleware makes a request to the custom action’s webhook URL, I’m getting an “authentication failed” error.


What I’ve Tried



  • I tried using the signing secret in the request header to authorize the request to the webhook URL.

  • I also verified that the payload structure matches the expected format for the custom trigger.

  • Despite this, the request fails with an authentication error, and I’m unsure whether I’m missing a specific header, token, or step in the flow.


Questions



  • How should I correctly authorize a request to the webhook URL obtained from a custom trigger?

  • Should I use a short-lived token instead of the signing secret?

  • Is there any example or documentation you can point me to that explains how the authentication for custom actions should work, especially when sending data from an external system?


Thank you so much for your help and guidance. I’m really excited to continue building on monday.com and hope to resolve these issues soon.


Thanks,

Kithiyon

hi @Kithi


Not sure this is the exact answer you are after. If you use seamless authentication monday will send you an encrypted shortLivedToken when posting to your app’s action endpoint. The header contains the authorization which can be used to:



  1. verify the post is signed correctly

  2. retrieve the shortLivedToken


For (1) you probably want to add some middleware in your routes, like:


router.post("/app-end-point/recipeaction", authenticationMiddleware.authMonday, autoIdColumnController.recipeAction);

In this case the middleware (authenticationMiddleware.authMonday) verifies the post with:


async function authMonday(req, res, next) {



  try {

    let { authorization } = req.headers;

    let { challenge } = req.body;

    //The challenge from the webhook is not signed

    if (challenge) return next();

    if (!authorization && req.query) {

      authorization = req.query.shortLivedToken;

    }

    const { accountId, userId, backToUrl } = jwt.verify(authorization, mySigningSecret);

    req.session = { accountId, userId, backToUrl };

    next();

  } catch (err) {

    res.status(401).json({ error: "not authenticated" });

  }

}

The variable mySigningSecret can be found on your app’s page in the Developers section.

image


For (2) your action endpoint can do something like this:


const { accountId, userId, aud, exp, iat, shortLivedToken } = jwt.verify(authorization, mySigningSecret);

to obtain the shortLivedToken. This token can be used in all monday API calls.


In general the .env file is not the best place to store secrets, just Google “is nodejs .env file safe for secrets”

Hi @basdebruin


1. How to handle signing secret for production users?


I understand that I need the signing secret to retrieve the short-lived token from a Monday.com request.


For testing, I manually copied the signing secret from my developer account and added it to my Node.js .env file. However, when our app goes live, how should I obtain the signing secret for each user?



  • Should I ask the user to enter it manually via the UI?

  • Or is there an official method or workaround provided by the Monday.com platform to access it securely?



2. Unauthorized error while forwarding Twilio webhook payload


I have a custom trigger in my Monday.com app, which provides a webhookUrl.

Separately, I’ve created a webhook in Twilio, with its callback URL pointing to our own middleware endpoint.


Here’s the flow:



  1. Twilio sends the payload to our middleware.

  2. Our middleware processes it.

  3. We forward the payload to Monday.com using the webhookUrl received from the custom trigger.


However, when sending this request to the webhookUrl, I get an “Unauthorized” error.

I’m using my Monday API token to make the request.


Is there something I’m missing regarding authentication when calling the webhookUrl from a backend service?


middleware_code


Any help or guidance would be greatly appreciated!

Thanks in advance 🙏

The signing secret is for the app, it is not per user. You should store it in a safe place where you retrieve it through NodeJS code.


The webhook in monday send a post to the endpoint when the criteria is met (e.g. wehn a new item is created send a webhook). You can’t post to that webhook from an outside app.

Hi @basdebruin


Thank you. If I had any doubt, I would ask here.

Reply


Terms & ConditionsCookie settings