I need to secure a custom REST endpoint that integrates with Monday.com. Initially, I tried using API keys, but I couldn’t find a way to modify headers for Monday’s webhooks. Now, I’m exploring JWTs for added security, but it seems the only option to generate a signing secret is through creating an app in the Developer Center. Is that the case, or are there alternative ways to securely set up this integration?
Hello there @kaelor.fogo and welcome to the community!
What would your integration do exactly?
And how would you use the token (such as a signing secret)?
Hello! Thanks for the welcome!
The integration is set up to trigger a custom REST endpoint whenever specific board events happen, allowing it to gather and process relevant data as part of the workflow. I initially explored API keys for authentication, but given Monday’s webhooks don’t support custom headers, I’m now considering JWTs to validate the webhook source securely.
I’d use the JWT’s signing secret to verify each event, ensuring it’s genuinely from Monday. Could you confirm if creating an app in the Developer Center is necessary for setting up the signing secret, or if there are alternative ways to achieve secure verification for these requests?
Hello again @kaelor.fogo ,
I think that might be a good approach!
An app is indeed needed to have a signing secret (you can use custom actions here).
Let me know if you have any other questions!
Cheers,
Matias