webhook callback security

I am working with a client to integrate Smartsheet with their other system through the use of API and REST services. One of the things that got me interested is the use of webhooks to monitor what is happening in Smartsheet and to follow our event-driven architecture. My concern is, if I read the documentation correctly, I do not see configuration to provide authentication type for the callbackURL. Does this mean, Smartsheet is posting data to the callbackURL without any authentication and juet let the application / endpoint receiving the callback to check the authenticity of the message based on the secret key?

Best Answer

Answers

  • Sean Morgan
    Sean Morgan Employee
    Answer ✓

    Hello @RC GGI ,

    There are two methods you have to verify the payload information is the Webhook ID and the authentication procedure is described here: https://smartsheet-platform.github.io/api-docs/#authenticating-callbacks-optional.

    As far as private information being sent to a "compromised" address, AFAIK a design consideration for our existing Webhooks design was to send "skinny" payloads such that customer data is not exposed in the payload. In order to retrieve that information an additional API request is required with a valid API token.

    Let me know if you have any questions!

    Regards

    Sean

  • RC GGI
    RC GGI ✭✭

    Hi @Sean Morgan,

    Thanks for the reply. That is what I thought as well. We can only authenticate by reading/examining the payload (which means the incoming request has already been "in" the receiving endpoint). This is a bit of a setback due to the fact that we are limited by security protocol and the API management tool we are using (that is all endpoints should be exposed through SSL and authenticated by at least basic authentication). This is just unfortunate as webhook will definitely fit our event-driven architecture. We might opt to make use of polled services to scan / monitor the sheets for any changes.

  • JeremiahHorstick
    JeremiahHorstick ✭✭✭✭✭✭

    @RC GGI what about an AWS intermediary to authenticate with your end point?