Callbacks are created by a webhook consumer when they are subscribing to a webhook. Callbacks are the endpoints where the consumer wants to have the webhook events sent to. They consist of:
Callbacks can be managed by any user within the same Consumer Group and Entity as the user who created the callback.
To edit a callback follow these steps:
Note: When editing a callback it impacts all other subscriptions that use the callback.
HMAC (Hash-based Message Authentication Code) is a symmetric encryption technique that uses a shared secret. When a consumer selects to secure the callback with a HMAC signature they must specify the following:
Once configured webhookie will apply the HMAC signature to all events sent to this callback.
The signature will appear in the Authorization header and takes the form of:
Authorization: Signature keyId=my-key-id,algorithm=HmacSHA256,headers=(request-target) date x-trace-id x-span-id,signature=<signature>
where:
The signature can then be validated in the callback by decoding the signature using the shared secret. The callback can then confirm that the unencrypted signature matches the HTTP headers to ensure the integrity of the event and in addition, the timestamp can be verified to avoid replay attacks.
OAuth 2.0 using the client credentials flow can also be used to secure the callback. When securing via OAuth 2.0 the consumer must provide:
Token Endpoint: The OAuth 2.0 authorization servers API endpoint to retrieve the access token.
Client Id: The client ID used for the subscription. Note it is recommended to use one client Id per subscription.
Client Secret: The clients secret.
Scopes: Optional. If used will limit the access to the scopes requested.
When an activated subscription has OAuth 2.0 configured, webhookie will make a call to the token endpoint to retrieve an access token. If successful webhookie will place the access token in the Authorization header in the form:
Authorization: Bearer <accesstoken>
Once an access token has been retrieved it will be cached and reused for the subscription until it expires.
If unsuccessful to retrieve an access token then the subscription will become blocked.
Powered by BetterDocs