Hello,
My company has been using Monday for a few months now and they absolutely love it. I am a developer on the internal development team here and have been asked to work on a few integration pieces between our custom built internal tooling and monday.
I would like to walk through our current process just to be abundantly clear about what I am trying to achieve as well as the issue I am facing.
Our internal system allows users to generate what we call Bids. These bids are estimates we provide to clients for potential work. Once these bids are accepted, they can be split out into multiple Jobs. These jobs represent a project that we will work on for the client.
Our project managers then need to get the Job on the schedule and decide which of our field personnel will be working on said job. Our internal system does not provide any scheduling functionality, so the PMs will assign users to the job so that they can clock in/out etc and manually add an item to our main schedule board in Monday which they have dubbed “Jobs Tracker”.
What I have been tasked with is making this a simple button press in our internal system to add that item and bring over relevant information (customer, assigned employees, files from the bid, etc). While I have been successful with this through the use of the GraphQL api, I wanted to set up webhooks so that when information is changed for a Job in Monday that pertains to scheduling (simple start & end date for now), our system is notified and will then update the Job so that information is consistent between Monday and our internal system.
I have also been successful in setting up these webhooks as I have done similar integrations in the past. Finally, we come to the issue at hand:
The options for verifying the authenticity of incoming webhooks from Monday to the provided webhook url are lacking.
I have been using my personal API key for development, but when it comes to options for apps I feel as if the current setup is very narrow in what it can support. I’m sure it works great for public marketplace applications, but in a case such as ours it seems our options are either to leave our webhook endpoints unauthorized, or create a dummy account and manually auth it for an app each time.
Maybe I am misunderstanding how this OAuth system is intended to be used, but our integrations do not need to be scoped to a user. The “app” would need read/write access everywhere especially while we build this thing out. Scoping the app to a user and asking them to setup the integrations themselves will be a massive headache when something like this could very easily be remedied by allowing for something like App Registrations which would provide an API key to be used by our app and a JWT sent with each webhook that is signed by that key or something similar.
I also don’t see how to simply set up a webhook with an app created through the development center as the Webhooks page shows only App Lifecycle Events as triggers. I also looked into the integration for sentence builder “Feature” and saw that the trigger I needed was there, but didn’t see an action to send a webhook.
Hopefully I am missing something here and this is an oversight on my part, but I’ll ask anyways.
Is there really no way to simply authenticate a webhook or attach a custom header to webhooks without setting up OAuth?
Any advice is appreciated. I would like to note I am fully aware that public API endpoints can be reached by anyone on the internet as stated in a suggestion by support personnel on an old thread with a similar topic. That is exactly why we want to be able to verify the authenticity of the requests to reach those endpoints as it seems many developers have these endpoints set up as a sync between monday and internal tooling like I have.