I would like to see support for mutual TLS be added to the apps framework, and ideally API. This way, beyond the API key and JWT, the actual connection can be verified it is coming from monday and monday can verify the API calls are coming from our servers (not just using a token for our app).
I do realize this could be difficult, so I am not expecting this any time soon. I’d just like to be able to push security past using tokens and JWTs to actually being able to verify the actual origin of the request is what it says it is.
An easy first step though would be for monday to publish a certificate chain for the servers it uses for the servers that send integration events and the install/monetization webhooks, etc. We could then at least use this to verify the origin of these requests (beyond the JWT)