Skip to main content

Verifying webhook athenticity

  • July 5, 2022
  • 2 replies
  • 828 views
S

Hello

I understand custom actions have a JWT token on the “Authorization” header that allows my server to verify the source of the call, but what about webhooks? I’ve noticed there’s no such header, so how can I validate the webhook call came from Monday.com?

2 replies

A
  • Anonymous
  • July 5, 2022

Hello @sp-keyzy!

Welcome to the community, we hope you like it here 🚀

You are correct in that webhooks do not provide the benefits that come with the authorization header included in custom actions.

However, our servers will send a "challenge’ to your URL to verify that you control the endpoint you provide. Our platform checks this by sending a JSON challenge to your endpoint, and your app should respond back with the same challenge.

We will send a JSON POST body, containing a “challenge” field. This is a randomly generated token that we expect you to return as a “challenge” field of your response JSON body to that request.

Here is what the “Challenge” will look like:

{
 "challenge": "3eZbrw1aBm2rZgRNFdxV2595E9CY3gmdALWMmHkvFXO7tYXAYM8P"
}

The response body should be an identical JSON POST body:

{
 "challenge": "3eZbrw1aBm2rZgRNFdxV2595E9CY3gmdALWMmHkvFXO7tYXAYM8P"
}

Here is a simple example in JavaScript of a webhook listener that will print the output of the webhook and respond correctly to the challenge:

app.post("/", function(req, res) {  console.log(JSON.stringify(req.body, 0, 2));    res.status(200).send(req.body);})
S
  • sp-keyzy
  • Author
  • New Participant
  • July 6, 2022

The problem with challenge is that I get it only when I register the webhook, not when it triggers

Is there a way to do an official feature request to get some sort of authentication available to webhooks?

Terms & ConditionsCookie settingsAccessibility statement