webhook callback security
I am working with a client to integrate Smartsheet with their other system through the use of API and REST services. One of the things that got me interested is the use of webhooks to monitor what is happening in Smartsheet and to follow our event-driven architecture. My concern is, if I read the documentation correctly, I do not see configuration to provide authentication type for the callbackURL. Does this mean, Smartsheet is posting data to the callbackURL without any authentication and juet let the application / endpoint receiving the callback to check the authenticity of the message based on the secret key?
Best Answer
-
Hello @RC GGI ,
There are two methods you have to verify the payload information is the Webhook ID and the authentication procedure is described here: https://smartsheet-platform.github.io/api-docs/#authenticating-callbacks-optional.
As far as private information being sent to a "compromised" address, AFAIK a design consideration for our existing Webhooks design was to send "skinny" payloads such that customer data is not exposed in the payload. In order to retrieve that information an additional API request is required with a valid API token.
Let me know if you have any questions!
Regards
Sean
Answers
-
Hello @RC GGI ,
There are two methods you have to verify the payload information is the Webhook ID and the authentication procedure is described here: https://smartsheet-platform.github.io/api-docs/#authenticating-callbacks-optional.
As far as private information being sent to a "compromised" address, AFAIK a design consideration for our existing Webhooks design was to send "skinny" payloads such that customer data is not exposed in the payload. In order to retrieve that information an additional API request is required with a valid API token.
Let me know if you have any questions!
Regards
Sean
-
Hi @Sean Morgan,
Thanks for the reply. That is what I thought as well. We can only authenticate by reading/examining the payload (which means the incoming request has already been "in" the receiving endpoint). This is a bit of a setback due to the fact that we are limited by security protocol and the API management tool we are using (that is all endpoints should be exposed through SSL and authenticated by at least basic authentication). This is just unfortunate as webhook will definitely fit our event-driven architecture. We might opt to make use of polled services to scan / monitor the sheets for any changes.
-
@RC GGI what about an AWS intermediary to authenticate with your end point?
Categories
- All Categories
- 14 Welcome to the Community
- 10.7K Get Help
- 63 Global Discussions
- 69 Industry Talk
- 385 Announcements
- 3.5K Ideas & Feature Requests
- 55 Brandfolder
- 125 Just for fun
- 50 Community Job Board
- 464 Show & Tell
- 40 Member Spotlight
- 44 Power Your Process
- 28 Sponsor X
- 234 Events
- 7.3K Forum Archives
