Security emergency bug in monday workflow triggers

Platform discussions monday dev
,
1

The bug touches “Monday workflows” feature, specifically - custom triggers.
I’ve setup triggers logic with /subscribe and /unsubscribe endpoints.
Now i want to trigger the endpoint (webhook_url) and trigger my block on monday.

Here is a link to docs:

What they say to do:
Make a POST request and create a JWT with appId in payload, sign it with signing secret and put JWT in Authorization header.
I think this is a correct way of it working, however this is not working and returns status 401 Unauthorized.

The only way I made it work is passing in Authorization header raw signing secret which made my trigger block finally execute.

Please fix this annoying issue (which is also security issue, noone wants to pass signing secret in raw format) and make your API follow the documentation provided.

2

Hello @pavlo-vasylenko
Hi Pavlo, thanks for the clear breakdown.

A 401 usually means the JWT is not being generated or sent correctly. For trigger endpoints you should:

• Sign a JWT with your app’s Signing Secret using HS256
• Include the required payload
• Send it as Authorization: Bearer <your_jwt>

Passing the raw signing secret is not expected and suggests the JWT signature or formatting is off. Double check the secret matches your app, the token is valid, and the header format is exact.

If you’d like hands-on help or want us to walk through this live, you can book a 1:1 paid 60-minute strategy session with our team here:
:backhand_index_pointing_right: Calendly

3

And the only way I made it work is this:

    const res = await axios.post(url, data, {
      headers: {
"Content-Type": "application/json",
Authorization: `${signingSecretRawValue}`,
      },
timeout: 10000,
    });
4

I’d like to share it live, but I’m not willing to pay 50$ so you can fix a potential bug in your system :thinking:

Let me share a code I was using to generate a JWT:

const secret = "APP SIGNING SECRET FROM APP SETTINGS";
const payload = {
  appId: 102…., // my app id from app settings
};

  const token = jwt.sign(payload, secret, { expiresIn: "1m" });
  const url = "URL THAT MONDAY GAVE ME IN /subscribe REQUEST";
  const data = {
    trigger: {
outputFields: {
assetId: "some content here"
      },
    },
  };

const res = await axios.post(url, data, {
      headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${token}`,
      },
timeout: 10000,
    });

Request failed
Status: 401

This code fully satisfies documentation:

@drtanvisachar please can you help?